Vous êtes sur la page 1sur 83

Operations Manager 2007 R2 Security Guide

Microsoft Corporation Published: May, 2009

Author
John Downing

Primary Reviewers
Ian Jirka, Joseph Chan, Lincoln Atkinson, Olof Mases, Ruhiyyih Mahalati, Smita Mahalati, and Tim Helton

Secondary Reviewers
Eugene Bykov, Clive Eastwood, Doug Bradley, Jakub Oleksy, Ranga Kalyanasundaram, and Vitaly Filimonov

Feedback
Send suggestions and comments about this document to momdocs@microsoft.com. Please include the security guide name and published date with your feedback.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, Internet Explorer, Jscript, SharePoint, SQL Server, Visio, Visual Basic, Visual Studio, Win32, Windows, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Revision History
Release Date Changes

May, 2009

The Operations Manager 2007 R2 release of this guide contains the following updates and additions: y y Information for deploying agents to UNIX and Linux systems was added. A list of hash values for UNIX and Linux agents was added.

Contents
Security with Operations Manager 2007 R2 ................................................................................ 5 About the Operations Manager 2007 Security Guide ............................................................... 5 New Security Features in Operations Manager 2007 ............................................................... 6 Account Information for Operations Manager 2007 .................................................................. 6 How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 .................................................................................................................11 How to Change the Reporting Server Execution Account Password in Operations Manager 2007 ................................................................................................................................12 How to Change the SDK and Config Service Accounts in Operations Manager 2007 ...........12 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007 ...............................................................................13 How to Set the Action Account on Multiple Computers in Operations Manager 2007 ...........14 Role-based Security in Operations Manager 2007 ..................................................................16 Run As Accounts and Run As Profiles in Operations Manager 2007 .......................................19 How to Create a Run As Account in Operations Manager 2007 ...........................................24 How to Create and Configure a Run As Profile in Operations Manager 2007 .......................26 How to Modify an Existing Run As Profile ............................................................................29 Authentication and Data Encryption for Windows Computers in Operations Manager 2007 .....30 How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007.................................................................................37 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 .................................................................................................................38 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 .................................................................................................................42 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 .................................................................................................................46 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 .................................................................................................................50 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007 ...55 How to Change the Run As Account Associated with a Run As Profile ................................56 How to Configure an HTTPS Binding for a Windows Server 2008 CA ..................................57 Authentication and Data Encryption for UNIX and Linux Operating Systems ...........................57 How to Manually Install Certificates for Cross-Platform Support ...........................................59 Using a Firewall with Operations Manager 2007 .....................................................................60 How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port....65 How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port .........67 Using Certificates with ACS in Operations Manager 2007 .......................................................69 How to Configure Certificates on the ACS Collector in Operations Manager 2007................71 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007 .............72

Security Considerations for Agentless Management in Operations Manager 2007 ..................73 Web Console Security in Operations Manager 2007 ...............................................................74 Appendix A - List of Operations in Operations Manager 2007 .................................................75 Appendix B - List of Hash Values for UNIX and Linux Agents .................................................79

Security with Operations Manager 2007 R2

About the Operations Manager 2007 Security Guide


This guide provides you with security-related information as it pertains to Operations Manager 2007. The topics discussed in this release of the security guide are described in the following section. For future releases of this document, see the Operations Manager 2007 Security Guide (http://go.microsoft.com/fwlink/?LinkId=64017).

In This Section
Account Information for Operations Manager 2007 Role-based Security in Operations Manager 2007 Run As Accounts and Run As Profiles in Operations Manager 2007 Authentication and Data Encryption for Windows Computers in Operations Manager 2007 Authentication and Data Encryption for UNIX and Linux Operating Systems Using Certificates with ACS in Operations Manager 2007 Security Considerations for Agentless Management in Operations Manager 2007 Web Console Security in Operations Manager Describes the accounts in Operations Manager 2007 that you will provide credentials for. Describes how role-based security is implemented. Describes how Run As Accounts and Run As Profiles are used. Describes how and when data between various Operations Manager components is encrypted and instructions about how to obtain and use certificates. Describes how to securely deploy agents to UNIX-based and Linux-based computers. Describes when certificates must be used so that authentication can take place between the ACS Forwarder and the ACS Collector. Provides information about security considerations for agentless management. Shows how to use Secure Sockets Layer (SSL) with the Web console in Operations 5

2007 Appendix A - List of Operations in Operations Manager 2007 Appendix B - List of Hash Values for UNIX and Linux Agents

Manager 2007. Lists the operations available, broken out by profile. Lists the hash values for the UNIX and Linux agents

External Resources
For an online version of help, see Operations Manager 2007 Help (http://go.microsoft.com/fwlink/?LinkID=77739).

New Security Features in Operations Manager 2007


The following sections describe security-related features available in Operations Manager 2007 that were not available in Microsoft Operations Manager (MOM) 2005.

Run As Accounts and Run As Profiles


In MOM 2005, the running of all rules and responses used credentials from a single action account, and therefore, the action account needed sufficient rights for all monitored applications. Operations Manager 2007 introduces Run As Accounts and Run As Profiles. Multiple Run As Accounts can monitor multiple applications or components and allow you to create credentials with the least amount of privileges necessary for the desired task. Run As Accounts allow you to manage all passwords and accounts for the entire management group from one location, the root management server.

User Roles
You can access and manipulate Operations Manager 2007 through several methods: through the Operations console, the Web console, Windows PowerShell, or custom applications. In all cases, role-based security ensures that the user credentials supplied are members of a user role in Operations Manager 2007.

Account Information for Operations Manager 2007


During the setup and operation of Operations Manager 2007, you will be asked to provide credentials for several accounts. The beginning of this section provides information about action accounts. Information about other accounts, such as SDK and Config Service, Agent Installation, Data Warehouse Write, and Data Reader accounts, is included.

What Is an Action Account?


The various Operations Manager 2007 server roles, root management server, management server, gateway server, and agent, all contain a process called MonitoringHost.exe. MonitoringHost.exe is what each server role uses to accomplish monitoring activities, such as executing a monitor or running a task. For example, when an agent subscribes to the event log to read events, it is the MonitoringHost.exe process that runs those activities. The account that a MonitoringHost.exe process runs as is called the action account. The action account for the MonitoringHost.exe process running on an agent is called the agent action account. The action account used by the MonitoringHost.exe process on a management server is called the management server action account. The action account used by the MonitoringHost.exe process on a gateway server is called the gateway server action account.

Agent Action Account


Unless an action has been associated with a Run As Profile, the credentials used to perform the action will be those defined for the action account. For more information about the Run As Profile, see Run As Accounts and Run As Profiles in Operations Manager 2007 in this guide. Some examples of actions include the following: y y y y Monitoring and collecting Windows event log data Monitoring and collecting Windows performance counter data Monitoring and collecting Windows Management Instrumentation (WMI) data Running actions such as scripts or batches

MonitoringHost.exe is the process that runs these actions using the credentials specified in the action account. A new instance of MonitoringHost.exe is created for each account.

Using a Low-Privileged Account


When you install Operations Manager 2007, you can choose one of two options while assigning the action account: y y Local System Domain or Local Account

A common approach is to specify a domain account, which allows you to select a user with the least amount of privileges necessary for your environment. On computers running Windows Server 2003, Windows Server 2003 R2, and the Windows Vista operating system, the default action account must have the following minimum privileges: y y y Member of the local Users group Member of the local Performance Monitor Users group Allow log-on-locally permission (SetInteractiveLogonRight) Important The minimum privileges described above are the lowest privileges that Operations Manager 2007 supports for the action account. Other Run As Accounts can have lower 7

privileges. The actual privileges required for the Run As Accounts depend upon which management packs are running on the computer and how they are configured. For more information about which specific privileges are required, see the appropriate management pack guide. Keep the following points in mind when choosing credentials for the action account: y A low-privileged account can be used only on computers running Windows Server 2003, Windows Server 2003 R2, and Windows Vista. On computers running Windows 2000 and Windows XP, the action account must be a member of the local Administrators security group or Local System. A low-privileged account is all that is necessary for agents that are used to monitor domain controllers. Using a domain account requires password updating consistent with your password expiration policies. You must stop and then start System Center Management service if the action account has been configured to use a low-privilege account and the low-privilege account was added to the required groups while the System Center Management service was running.

y y y

Notification Action Account


The Notification Action Account is a Run As Account that is created by the user to configure notifications. This is the action account that is used for creating and sending notifications. Ensure that the credentials you use for this account have sufficient rights for the SMTP server, instant messaging server, or SIP server that you will use for notifications. If you change the password for the credentials you entered for the Notification Action Account, you will need to make the same password changes for the Run As Account.

Managing Action Account Credentials


For the account you choose, Operations Manager will determine what the password expiration date is and generate an alert 14 days before the account expires. When you change the password in Active Directory, you can change the password for the action account in Operations Manager on the Account tab on the Run As Account Properties page. For more information about managing the action account credentials, see How to Change the Credentials for the Action Account in Operations Manager (http://go.microsoft.com/fwlink/?LinkId=88304). You can use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. For more information see the SC Ops Mgr 2007 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=92596). The script allows you to set the action account on all of the computers defined in a computer group. See How to Set the Action Account on Multiple Computers in Operations Manager 2007 in the Security Guide.

SDK and Config Service Account


The SDK and Config Service account is one set of credentials that is used by the System Center Data Access service and System Center Management Configuration service to update and read information in the Operations Manager database. Operations Manager ensures that the credentials used for the SDK and Configuration action account will be assigned to the sdk_user role in the Operations Manager database. The SDK and Config Service account can be configured as either Local System or as a domain account. A Local User account is not supported. If the root management server and the Operations Manager database are on different computers, the SDK and Config Service account will need to be changed to a domain account. For better security, we recommend that you use an account different from the one used for the management server action account. To change these accounts, see the Knowledge Base article How to change the credentials for the OpsMgr SDK Service and for the OpsMgr Config Service in Microsoft System Center Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=112435).

Agent Installation Account


When implementing discovery-based agent deployment, you are prompted for an account with administrator user rights. This account is used to install the agent on the computer, and therefore it must be a local administrator on all the computers you are deploying agents to. The management server action account is the default account for agent installation. If the management server action account does not have administrator rights, select Other user account and type an account with administrator rights. This account is encrypted before being used and then discarded.

Data Warehouse Write Account


The Data Warehouse Write Account writes data from the root management server or management server to the Reporting data warehouse and reads data from the Operations Manager database. The credentials you supply for this account will be made a member of the roles according to the application, as described in the following table.
Application Database/Role Role/Account

Microsoft SQL Server 2005 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Operations Manager 2007

OperationsManager OperationsManager OperationsManagerDW OperationsManagerDW User Role

db_datareader dwsync_user OpsMgrWriter db_owner Operations Manager Report Security Administrators 9

Application

Database/Role

Role/Account

Operations Manager 2007 Operations Manager 2007

Run As Account Run As Account

Data Warehouse Action Account Data Warehouse Configuration Synchronization Reader Account

If you change the password for the credentials you entered for the Data Warehouse Write account, you will need to make the same password changes for the following accounts: y y Run As Account called Data Warehouse Action Account Run As Account called Data Warehouse Configuration Synchronization Reader Account

Data Reader Account


This account is used to deploy reports, define what user the SQL Reporting Services uses to run queries against the Reporting data warehouse, and for the SQL Reporting Services IIS Application Pool account to connect to the root management server. This account is added to the Report Administrator User Profile. The credentials you supply for this account will be made a member of the roles according to the application, as described in the following table.
Application Database/Role Role/Account

Microsoft SQL Server 2005 Microsoft SQL Server 2005 Operations Manager 2007 Operations Manager 2007 Operations Manager 2007 IIS Windows Service

Reporting Server Installation Instance OperationsManagerDW User Role User Role Run As Account Application Pool SQL Server Reporting Services

Report Server Execution Account OpsMgrReader Operations Manager Report Security Administrators Operation Manager Report Operators Data Warehouse Report Deployment Account ReportServer$<INSTANCE> Log On account

If you change the password for the credentials you entered for the Data Reader account, you will need to make the same password changes for the following accounts: 10

y y y y

Report Server Execution Account The SQL Server Reporting Services service account on the computer hosting SQL Server Reporting Services (SRS) The IIS ReportServer$<INSTANCE> Application Pool account Run As Account called Data Warehouse Report Deployment Account

See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Change the SDK and Config Service Accounts in Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007 How to Set the Action Account on Multiple Computers in Operations Manager 2007

How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, you can use the following procedure to change the IIS ReportServer Application Pool account password on the computer running SQL Server Reporting Services. To change the IIS ReportServer Application Pool account 1. On the computer running SQL Server Reporting Services, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services (IIS) Manager, expand <Computer Name> (local computer), expand Application Pools, right-click ReportServer<INSTANCE>, and then click Properties. 3. In the ReportServer<INSTANCE> Properties dialog box, click Identity. 4. In the Password text box, type the new password, and then click OK. 5. Close Internet Information Services (IIS) Manager.

See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007

11

How to Change the Reporting Server Execution Account Password in Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, use the following procedure to change the Execution account password on the reporting server. To change the Reporting Server Execution account password 1. On the computer hosting the Reporting Server, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click Reporting Services Configuration. 2. In the Reporting Server Installation Instance Selection dialog box, click Connect. 3. In the Reporting Services Configuration Manager pane, in the left pane, click Execution Account. 4. In the Execution Account pane, type the new password for the execution account. 5. Click Apply, and then click Exit to close Reporting Services Configuration Manager.

See Also
How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007

How to Change the SDK and Config Service Accounts in Operations Manager 2007
During the install of Operations Manager 2007, you are prompted for credentials for two services. The names for these services changed with the introduction of Operations Manager 2007 R2. If you want to change the password for the credentials that you provided or use a different set of credentials, follow the procedure for the version of Operations Manager that you are using. Note The same credentials must be used for both services. To change credentials or password for the Operations Manager 2007 SP1 services 1. On the computer hosting the root management server, on the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In the list of services, right-click SDK Service, and then click Properties. 4. In the SDK Properties dialog box, click the Log On tab. 5. Enter new credentials or change the password of the existing credentials, and then click 12

OK. 6. In the list of services, right-click Config service, and then click Properties. 7. In the Config Properties dialog box, click the Log On tab. 8. Enter new credentials or change the password of the existing credentials, and then click OK. 9. Stop and restart both the SDK service and Config service. To change credentials or password for the Operations Manager 2007 R2 services 10. 0. 1. On the computer hosting the root management server, on the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In the list of services, right-click System Center Data Access service, and then click Properties. 4. In the System Center Data Access Properties dialog box, click the Log On tab. 5. Enter new credentials or change the password of the existing credentials, and then click OK. 6. In the list of services, right-click System Center Management Configuration service, and then click Properties. 7. In the System Center Management Configuration Properties dialog box, click the Log On tab. 8. Enter new credentials or change the password of the existing credentials, and then click OK. 9. Stop and restart both the System Center Data Access service and System Center Management Configuration service.

How to Change the Windows Service Account Password for the SQL Server Reporting Service in Operations Manager 2007
If the password changes for the account you specified as the Data Reader Account during the setup of the reporting server, use the following procedure to change the Windows service account for the SQL Server Reporting Services password on the computer running SQL Server Reporting Services (SRS). To change the Windows service account for the SQL Server Reporting Services 1. On the computer running SQL Server Reporting Services, on the Windows desktop, click Start, point to Settings, and then click Run. 2. In the Run dialog box, type services.msc, and then click OK. 3. In Services, scroll down the list, right-click SQL Server Reporting Services 13

(<INSTANCE>), and then click Properties. 4. In the SQL Server Reporting Services (<INSTANCE>) Properties dialog box, click Log On. 5. In the Password and Confirm Password text boxes, type the new password, and then click OK. 6. Close Services, and then close Administrative Tools.

See Also
How to Change IIS ReportServer Application Pool Account Password for Operations Manager 2007 How to Change the Reporting Server Execution Account Password in Operations Manager 2007

How to Set the Action Account on Multiple Computers in Operations Manager 2007
This procedure shows you how to use a Windows PowerShell script, set-ActionAccount.ps1, to set the action account on multiple computers. You will need to download the setActionAccount.ps1 script to the computer that hosts the Operations console and Operations Manager 2007 Command Shell. For more information about the set-ActionAccount.ps1 script see the SC Ops Mgr 2007 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=92596). You can specify the computers you want to change the action account for by either creating a new computer group or by selecting a computer group from discovered inventory. Both procedures are described in the following sections. For the purposes of these procedures, it is assumed that the set-AcitonAccount.ps1 script was downloaded to a user's My Documents folder on the C drive. To set the action account on multiple computers 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Monitoring button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Monitoring pane, right-click Monitoring, point to New, and then click State View. 4. In the Properties dialog box, in the Name text field, enter a new name for this view (for example, My Computer Group). 5. On the Criteria tab, in the Show data related to list box, click the ellipsis () button. 14

6. In the Select a Target Type dialog box, in the Look for text field, type Computer Group, click View all Targets, select Computer Group in the list, and then click OK. 7. In the Properties dialog box, click OK. 8. In the Monitoring pane, expand Monitoring, and then click the view you just created (for example, click My Computer Group). 9. In the results pane (for example, the My Computer Group results pane), right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell. 10. In the Windows PowerShell window, type the path to the script followed by the name of the script, and then followed by the action account you want to change to. For example, type c:\Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where ActionAccount are the credentials (domain\username) for the action account that you want to set on multiple computers), and then press ENTER. To set the action account on multiple computers using discovered inventory 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Monitoring button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server Name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Monitoring pane, expand Monitoring, and then click Discovered Inventory. 4. In the Actions pane, expand State Actions, and then click Change target type. 5. In the Select a Target Type dialog box, select View all targets. 6. In the Look for text box, type Computer Group. 7. In the Target column, click Computer Group, and then click OK. 8. In the Discovered Inventory (Computer Group) results pane, right-click the computer group containing target computers that you want to change the action account for, click Open, and then click Command Shell. 9. In the Windows PowerShell window, type the path to the script followed by the name of the script, and then followed by the action account you want to change to. For example, type c:\Documents and Settings\<user>\My Documents\set-ActionAccount "ActionAccount", (where "ActionAccount" are the credentials (domain\username) for the action account that you want to set on multiple computers), and then press ENTER.

15

Role-based Security in Operations Manager 2007


You can access and manipulate Operations Manager 2007 by using the Operations console, the Web console, Windows PowerShell, or custom applications. In all cases, role-based security ensures that the user credentials supplied are members of a user role in Operations Manager. Operations Manager 2007 can monitor many different types of applications in the enterprise, and these applications can be administered by multiple teams. As the Operations Manager administrator, you can limit access to each team so they access only their monitoring data. Rolebased security allows you to grant access to monitoring data, tools, and actions on a team-byteam basis.

Terminology and Concepts


The terminology regarding role-based security is described in the following table.
Term Meaning

Operation/Privilege

A securable action, such as resolving alerts, executing tasks, overriding monitors, creating user roles, viewing alerts, viewing events, and so on. For a list of the available operations, see Appendix A. A collection of operations that are granted to a persona; for example, Administrator or Operator. Operations Manager 2007 contains the following profiles: y y y y y y y Administrator Advanced Operator Author Operator Read-Only Operator Report Operator Report Security Administrator

Profile

Scope User Roles Role assignment

Defines the boundaries of the running of profile operations, for example, tasks and groups. The combination of a profile and scope. An association of Windows users and groups to Operations Manager roles.

16

Scope
All management pack objects, for example, attributes, monitors, object discoveries, rules, tasks, and views, are scoped by targets (also called types or classes). A target as defined in a management pack represents a certain type of object. All objects of this type share some common characteristics. Everywhere objects of this type exist there is a common way of discovering them, a common set of properties that can be discovered, and a common way to monitor them. By default, before any management packs are imported, 163 targets are created in Operations Manager 2007. Groups are logical collections of objects, such as Windows-based computers, hard disks, or instances of Microsoft SQL Server. Tasks can either be an agent task or a console task. Agent tasks can run remotely on an agent or a management server, while console tasks can run only on the local computer. In addition, console tasks are not scoped by user roles; they are available to all users. In Operations Manager 2007, you can have a batch file or script run as a task remotely or locally, but if the task is generated by an alert or an event, it can only be run locally. Views are groups of managed objects that have a commonality, which is defined in the view properties. When you select a view, a query is sent to the Operations Manager database and the results of the query are displayed in the results pane.

User Role
In Operations Manager 2007, a user role is created by defining a union of profile and scope. You create a user role from within one of the five predefined profiles, or one of the seven predefined profiles if Reporting has been installed, and then define an appropriate scope. The following table defines the profile types, and an appropriate scope for each.
Profile type Profile description Role scope

Administrator

Has full privileges to Operations Manager; no scoping of the Administrator profile is supported. Has limited change access to Operations Manager configuration; ability to create overrides to rules; monitors for targets or groups of targets within the configured scope. Advanced Operator also inherits Operator privileges. Has ability to create, edit, and delete tasks, rules, monitors,

Full access to all Operations Manager data, services, administrative, and authoring tools. Can be scoped against any groups, views, and tasks currently present and those imported in the future.

Advanced Operator

Author

Can be scoped against any target, groups, views, and 17

Profile type

Profile description

Role scope

and views within configured scope. Author also inherits Advanced Operator privileges.

tasks currently present and those imported in the future. The Author role is unique in that this is the only profile type that can be scoped against the targets. Can be scoped against any groups, views, and tasks currently present and those imported in the future.

Operator

Has ability to edit or delete alerts, run tasks, and access views according to configured scope. Operator also inherits Read-Only Operator privileges. Has ability to view alerts and access views according to configured scope.

Read-Only Operator

Can be scoped against any groups and views currently present and those imported in the future.

Report Operator Report Security Administrator

Has ability to view reports Globally scoped. according to configured scope. Enables integration of SQL Reporting Services security with Operations Manager roles. No scope.

Important Adding a computer account to a user role member would allow all services on that computer to have SDK access. It is recommended that you do not add a computer account to any user role. Except for the Administrator role, you can add Active Directory security groups or individual accounts to any of these predefined roles. You can add Active Directory security groups only to the Administrator role. Adding users or a group to a role means that those individuals will be able to exercise the given role privileges across the scoped objects (including any inherited objects). Note The predefined roles are globally scoped, giving them access to all groups, views, targets, and tasks, except for Report Security Administrator. Operations Manager also allows you to create custom roles based on the Operator, Read-Only Operator, Author, and Advanced Operator profiles. When you create the role, you can further narrow the scope of groups, tasks, and views that the role can access. For example, you can 18

create a role entitled "Exchange Operator" and narrow the scope to only Exchange-related groups, views, and tasks. User accounts assigned to this role will only be able to run Operatorlevel actions on Exchange-related objects. Important Make sure that you create a domain security group for the Operations Manager Administrators role. This group is required to be in place during the first setup run for a management group. For more information about how to administer security roles, accounts, and profiles in Operations Manager 2007, see the topic How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=88131).

Run As Accounts and Run As Profiles in Operations Manager 2007


Rules, tasks, monitors, and discoveries defined in a management pack require credentials to run on a targeted computer. By default, rules, tasks, monitors, and discoveries run using the default action account for the agent or server. For example, if the action is run on an agent, the credentials used for the action will come from the agent action account. For more information about the action account, see Account Information for Operations Manager 2007 in this guide. Run As accounts and Run As profiles allow you to run different rules, tasks, monitors, or discoveries under different accounts on different computers. Management packs no longer share the same identity and therefore allow you to use a low privilege account as your action account. Run As accounts support the following account types: y y y y y y y Windows - Windows credentials, for example, domain\user name, or user name@FullyQualifiedDomainName, and the associated password Community String - SNMP version 2 community string Basic Authentication - standard basic Web authentication Simple Authentication - any generic user name and password combination, for example, Web form, SQL authentication, or anything else that accepts user name and password Digest Authentication - standard digest Web authentication Binary Authentication - user-defined authentication Action account - Windows credential that can only be assigned to the action account profile

A Run As account allows you to specify the necessary privileges for use with rules, tasks, monitors, and discoveries targeted to specific computers on an as-needed basis. Data is encrypted between the root management server and the targeted computer when credentials are being transferred and the credentials are securely stored on the targeted computer. A particular task, rule, monitor, or discovery can be associated with a Run As profile. This association is made when the management pack is created. The Operations Manager 19

Administrator has the option of associating other Run As accounts for the particular Run As profile on a targeted computer. For example, Alice is working on a SQL management pack and is creating a Get DB Statistics task. Alice knows that the action account will not have sufficient rights to run this task; however, Bob, the SQL Administrator, does. Alice needs to configure the task to run with Bobs credentials. While authoring the management pack, Sam creates a Run As profile called DB Operators and associates it with the task module. When the SQL management pack containing the Get DB Statistics task is imported into Operations Manager 2007, the Run As profile associated with the task will be included in the import and DB Operators will appear in the list of available Run As profiles. The Operations Manager 2007 administrator will create a Run As account configured with Alices credentials. The Run As account is then associated with the Run As profile that the task will use. The target computer on which the Run As account will be used is explicitly specified in the Run As profile. Note The default account for the Run As profile is the action account. Give appropriate thought to what the action account should be and choose an account with appropriate permissions. In most instances, a domain administrator would not be a good choice. Operations Manager 2007 administrators can associate different Run As accounts for different target computers with each Run As profile. This association is useful in cases in which the Run As profile is used on a different computer when each computer requires a different credential. Alice has user rights to run the task on computer 1 running SQL Server, while Bob has user rights on computer 2 running SQL Server. In this situation, separate Run As accounts are created for Alice and Bob and both are associated with the single Run As profile. This assignment must be made on two separate computers.

Run As Profiles in Operations Manager 2007


In addition to the Run As profiles you can create, Operations Manager 2007 includes the Run As profiles described in the following table. These profiles are used by Operations Manager 2007 itself
Name Description Run As account

Active Directory Based Agent Assignment Account

Account used by Active Directorybased agent assignment module to publish assignment settings to Active Directory. This account will be used to automatically diagnose agent failures.

Local System Windows Account

Automatic Agent Management Account

None

20

Name

Description

Run As account

Client Monitoring Action Account

If specified, used by Operations None Manager 2007 to run all client monitoring modules. If not specified, Operations Manager 2007 uses the default action account. Account used by the Operations Manager management pack to monitor connection health to the connected management groups. None

Connected Management Group Account

Data Warehouse Account

If specified, this account is None used to run all Data Warehouse collection and synchronization rules instead of the default action account. If this account is not overridden by the Data Warehouse SQL Server Authentication account, this account is used by collection and synchronization rules to connect to the Data Warehouse databases using Windows integrated authentication. This account is used by Data Warehouse report autodeployment procedures to execute various report deployment-related operations. Data Warehouse Report Deployment Account

Data Warehouse Report Deployment Account

Data Warehouse SQL Server Authentication Account

If specified, this login name and Data Warehouse SQL Server password is used by collection Authentication Account and synchronization rules to connect to the Data Warehouse databases using SQL Server authentication. The default Health Service Action Account. The account credentials provided during setup. 21

Default Action Account.

Name

Description

Run As account

MPUpdate Action Account Notification Account

This account is used by the MPUpdate notifier.

None

Windows account used by None notification rules. Use this account's e-mail address as the e-mail and instant message 'From' address. None

Operational Database Account This account is used to read and write information to the Operations Manager database. Privileged Monitoring Account

This profile is used for None monitoring, which can only be done with a high level of privilege to a system; for example, monitoring that requires Local System or Local Administrator permissions. This profile defaults to Local System unless specifically overridden for a target system. If specified, this login name and Reporting SDK SQL Server Authentication Account password is used by SDK Service to connect to the Data Warehouse databases using SQL Server authentication. This profile is reserved and must not be used. None

Reporting SDK SQL Server Authentication Account

Reserved Validate Alert Subscription Account

Account used by the validate Local System Windows Account alert subscription module that validates that notification subscriptions are in scope. This profile needs administrator rights. This profile is used for all discovery and monitoring of Windows Cluster components. This profile defaults to used action accounts unless None

Windows Cluster Action Account

22

Name

Description

Run As account

specifically populated by the user. WS-Management Action Account This profile is used for WSManagement access. None

Run As accounts and Run As profiles in Operations Manager 2007 R2


With the release of Operations Manager 2007 R2, the following additional features have been added for Run As accounts and Run As profiles: distribution and targeting. The following sections explain distribution and targeting and the effects these features have on security.

Understanding Distribution and Targeting


Both Run As account distribution and Run As account targeting must be correctly configured for the Run As profile to work properly. When you configure a Run As profile, you select the Run As accounts you want to associate with the Run As profile. After you create that association, you can specify the class, group, or object for which the Run As account is to be used for running tasks, rules, monitors, and discoveries against. Distribution is an attribute of a Run As account, and you can specify which computers will receive the Run As account credentials. You can choose to distribute the Run As account credentials to every agent-managed computer or only to selected computers. Example of Run As account targeting: Physical computer ABC hosts two instances of Microsoft SQL Server, instance X and instance Y. Each instance uses a different set of credentials for the sa account. You create a Run As account with the sa credentials for instance X, and you create a different Run As account with the sa credentials for instance Y. When you configure the SQL Server Run As profile, you associate both Run As account credentialsfor example, X and Y with the profile and specify that the Run As account instance X credentials are to be used for SQL Server instance X and that the Run As account Y credentials are to be used for SQL Server instance Y. Then you must also configure each set of Run As account credentials to be distributed to physical computer ABC. Example of Run As account distribution: SQL Server1 and SQL Server2 are two different physical computers. SQL Server1 uses the UserName1 and Password1 set of credentials for the SQL sa account. SQL Server2 uses the UserName2 and Password2 set of credentials for the SQL sa account. The SQL management pack has a single SQL Run As profile that is used for all SQL Servers. You can then define one Run As account for UserName1 set of credentials and another Run As account for the UserName2 set of credentials. Both of these Run As accounts can be associated with the one SQL Server Run As profile and can be configured to be distributed to the appropriate computers. That is, UserName1 is distributed to SQL Server1 and UserName2 is 23

distributed to SQL Server2. Account information sent between the management server and the designated computer is encrypted.

Run As Account Security


In Operations Manager 2007 SP1, Run As account credentials are distributed to all agentmanaged computers (the less secure option). In Operations Manager 2007 R2, Run As account credentials are distributed only to computers that you specify (the more secure option). If Operations Manager automatically distributed the Runs As account according to discovery, a security risk would be introduced into your environment as illustrated in the following example. This is why an automatic distribution option was not included in Operations Manager. For example, Operations Manager 2007 identifies a computer as hosting SQL Server 2005 based on the presence of a registry key. It is possible to create that same registry key on a computer that is not actually running an instance of SQL Server 2005. If Operations Manager were to automatically distribute the credentials to all agent managed computers that have been identified as SQL Server 2005 computers, the credentials would be sent to the imposter SQL Server and they would be available to anyone with administrator rights on that server. When you create a Run As account using Operations Manager 2007 R2, you are prompted to choose whether the Run As account should be treated in a Less secure or More secure fashion. More secure means that when you associate the Run As account with a Run As profile, you have to provide the specific computer names that you want the Run As credentials distributed to. By positively identifying the destination computers, you can prevent the spoofing scenario that was described before. If you choose the less secure option, you will not have to provide any specific computers and the credentials will be distributed to all agent-managed computers. Note With all versions of Operations Manager 2007, the credentials you select for the Run As account must have logon-locally rights; otherwise, the module will fail.

See Also
Account Information for Operations Manager 2007 Role-based Security in Operations Manager 2007

How to Create a Run As Account in Operations Manager 2007


This procedure tells you how to create a Run As Account by using a set of Windows credentials as an example. Then it shows you how to edit the properties of the Run As Account to modify the security level and distribution of the credentials. You use this same procedure for all other account types. For more information about the other account types, see Credential Types in Operations Manager 2007. The credentials that you provide in a Run As Account are used to run tasks, rules, monitors and discoveries as defined by the management pack that they are in. The management pack guide has the settings that you need for configuring the Run As Account and the Run As Profile. 24

To create a Run As Account 1. Log on to the Operations console with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click Administration. 3. In the Administration pane, expand Administration, expand Run As Configuration, right-click Accounts, and then click Create Run As Account. 4. In the Create Run As Account Wizard, on the Introduction page click Next. 5. On the General Properties page, do the following: a. Select Windows in the Run As Account type: list. b. Type a display name in the Display Name text box, c. Optionally, type a description in the Description box. d. Click Next. 6. On the Credentials page, type a user name, and its password, and then select the domain for the account that you want to make a member of this Run As Account. 7. Click Next. 8. On the Distribution Security page, select the Less secure or More secure option as appropriate. 9. Click Create. 10. On the Run As Account Creation Progress page, click Close. When you create a Run As Account you are warned that you must associate the Run As Account with a Run As profile, and you are not presented with the option to configure Run As Account credential distribution. Both of these activities can be accomplished in the Run As Profile wizard. Alternately, you can configure Run As Account credential distribution by editing the properties of the Run As Account as shown next. To modify Run As Account properties 1. In the Operations console, click Administration. 2. In the Administration pane, expand the Administration node, expand the Run As Configuration node, and select the Accounts container. 3. In the results pane, double click the Run As Account that you want to edit to open its properties. 4. On the Run As Account Properties page you can edit values on the General Properties, Credentials, or the Distribution tabs. In this case, select the Distribution tab. 5. On the Distribution tab, in the Selected computers: area, click Add to open the Computer Search tool. 6. On the Computer Search page, click the Option: list and select one of the following 25

options: a. Search by computer name (Default), then type in the computer name in the Filter by: (Optional) box.

b. Show suggested computers, if you have already associated the Run As Account object with a Run As profile, a list of discovered computers that host the monitored service are presented here. c. Show management servers, in some cases, for example cross platform monitoring, all monitoring is performed by a management server and therefore the credentials have be distributed to the management servers that is performing the monitoring.

7. Optionally, type in a value in the Filter by: (Optional) box to narrow the search result set and click Search. A list of computers that match the search criteria is displayed in the Available items box. 8. Select the computers that you want to distribute the credentials to, and click Add. The computers appear in the Selected Items box. 9. Click OK. This returns you to the Distribution tab and the computers are displayed. Click OK.

See Also
How to Create and Configure a Run As Profile in Operations Manager 2007

How to Create and Configure a Run As Profile in Operations Manager 2007


The process of creating and configuring a custom Run As Profile consists of four steps: 1. Identifying the class, group or objects the Run As Account will be applied to. 2. Creating and configuring Run As Accounts. 3. Associating the Run As Accounts with the Run As Profile. 4. Configuring the distribution of Run As Account object credentials to specific computers. This procedure can be used for creating and configuring a new Run As Profile, or you can use the configuring section to modify or configure Run As Profiles that are pre-existing in your management group. This procedure assumes that you have not previously created a Run As Account object. To create a Run As Profile 1. Log on to the Operations console with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click Administration. 3. In the Administration pane, expand Administration, expand Run As Configuration, select the Profiles container. Right-click in the Results pane, and then click Create Run 26

As Profile. If this is your first time through the Run As Profile wizard, be sure to read the text on the Introduction page. 4. Click Next. 5. On the General Properties page, do the following: a. Type a display name for the Run As Profile in the Display name box. b. Optionally, enter a description for the Run As Profile. c. Click New for the Select destination management pack list to create an override management pack if you have not already created one. If you have already created an override management pack, select it from the drop down list and skip to step 9.

6. In the Create a Management Pack wizard on the General Properties page, type a name in the Name box. Optionally, enter a description for the management pack. Then click Next. Tip By default, when you create a management pack object, disable a rule or monitor, or create an override, Operations Manager saves the setting to the Default Management Pack. As a best practice, you should create a separate management pack for each sealed management pack that you want to customize, rather than saving your customized settings to the Default Management Pack. For more information, see Customizing Management Packs http://go.microsoft.com/fwlink/?LinkId=140601 7. On the Knowledge Article page, click Edit if you want to provide summary, configuration, additional information, and external knowledge sources information about this management pack. 8. Click Create. This returns you to the General Properties page of the Run As Profile wizard. 9. Click Next. 10. On the Run As Accounts page, click Add to open the Add a Run As Account page. 11. Click New which starts the Create Run As Account Wizard and opens the General Properties page. 12. From the Run As Account type box, select the type of account that you need to create. This is specified in the management pack guide. 13. Type a name in the Display name: box, optionally type a description, and then click Next. 14. On the Credentials page type the user name and password of the actual credential that you want the Run As Profile to use in the respective User name, Password, and Confirm password boxes. 15. Ensure that the correct domain for the credentials is selected in the Domain list. Click Next. 16. On the Distribution Security page, select the Less secure or More secure option as 27

instructed by your management pack guide. Note that if you choose the Less secure option, the credentials are accessible to the administrators of all recipient computers. For more information about credential distribution security, see Run As Profiles and Run As Accounts in Operations Manager 2007. 17. Click Create 18. On the Run As Account Creation Progress page, when creation is complete, read the warning note, and then click Close. This returns you to the Add a Run As Account page. 19. In the This Run As Account will be used to manage the following objects area select All targeted objects or A selected class, group or object options, per the configuration values in your management pack guide. 20. If the A selected class, group or object box is prepopulated with a value, click OK; otherwise click Select and pick either Class Group, or Object as instructed by the management guide. This opens the respective Class search, Group search, or Object search page. 21. In any of the search tools, type your search or filter criteria, and click Search. The results are displayed in the Available items box. 22. Select the item you want the Run As Account object to be used to manage, and then click OK. 23. Click OK. This returns you to the Run As Accounts page in the Run As Profile Wizard. 24. If you want to add additional Run As Accounts, click Add again and repeat steps 10 through 23; otherwise click Create. Note This procedure assumes that you selected the More secure option and presents the remaining steps in order. If you are selected the Less secure option skip to step 29. 25. On the Run As Profile Wizard Completion page you see all the Run As Accounts that were configured with the More secure setting listed as a link. It is now necessary to select each Run As Account one at a time and configure credential distribution. 26. Double-click an account; this opens the Run As Account Properties page to the Distribution tab. You will see your security level selection and the Selected computers displayed. You can edit both from here. 27. Click Add for the Selected computers box and do the following: a. Select Search by computer name (Default) or Show suggested computers, or Show management servers. b. Optionally type in a value in the Filter by: (Optional) box. c. Click Search. The result set is returned in the Available items box. d. Select the computers you want from the result set, and click Add. This adds the selected computers to the Selected objects box. 28

e. Click OK. 28. Click OK. This returns you to the Completion page of the Run As Profile Wizard. A green checkmark appears next to the accounts that you have successfully completed distribution configuration for. 29. Click Close.

See Also
How to Create a Run As Account in Operations Manager 2007 How to Modify an Existing Run As Profile

How to Modify an Existing Run As Profile


Pre-existing Run As profiles may have been created by you using the How to Create and Configure a Custom Run As Profile procedure or they may have been created if a management pack was imported that contained one. Use this procedure to modify the properties of an existing Run As profile. How to modify an existing Run As profile 1. Open the Operations console with an account that is a member of the Operations Manager 2007 Administrators role. 2. Select the Administration view. 3. In the Administration view navigation pane, select the Profiles container. 4. In the results pane, double-click the profile whose properties you want to edit. This opens the Run As Profile Wizard, which contains the settings that were configured previously. 5. On the General Properties page, you can modify the value in the Display name and Description fields. 6. Click Next. 7. On the Run As Accounts page, you can add additional Run As accounts, edit the settings of existing ones and remove Run As accounts that should no longer be associated with the Run As profile. 8. When you have completed your modifications, click Save. 9. On the Completion page, in the More-secure Run As accounts: box, you must select each account in turn and configure the distribution of the credentials for each Run As account. For more information about configuring Run As account credential distribution, see: How to Create and Configure a Run As Profile in Operations Manager 2007 10. When you have completed configuring distribution, click Close.

29

Authentication and Data Encryption for Windows Computers in Operations Manager 2007
Operations Manager 2007 consists of components such as the root management server, management server, gateway server, Reporting Server, Operations Manager database, Reporting data warehouse, agent, Web console, and Operations console. This section explains how authentication is performed and identifies connection channels where the data is encrypted.

Certificate-Based Authentication
When an Operations Manager agent and management server are separated by either an untrusted forest or workgroup boundary, certificate-based authentication will need to be implemented. The following sections provide information about these situations and specific procedures for obtaining and installing certificates from Windows-based certification authorities.

Setting Up Communication Between Agents and Management Servers Within the Same Trust Boundary
An agent and the management server use Windows authentication to mutually authenticate with each other before the management server accepts data from the agent. The Kerberos version 5 protocol is the default method for providing authentication. In order for Kerberos-based mutual authentication to function, the agents and management server must be installed in an Active Directory domain. If an agent and a management server are in separate domains, full trust must exist between the domains. In this scenario, after mutual authentication has taken place, the data channel between the agent and the management server is encrypted. No user intervention is required for authentication and encryption to take place.

Setting Up Communication Between Agents and Management Servers Across Trust Boundaries
An agent (or agents) might be deployed into a domain (domain B) separate from the management server (domain A), and no two-way trust might exist between the domains. Because there is no trust between the two domains, the agents in one domain cannot authenticate with the management server in the other domain using the Kerberos protocol. Mutual authentication between the Operations Manager 2007 components within each domain still occurs. A solution to this situation is to install a gateway server in the same domain where the agents reside, and then install certificates on the gateway server and the management server to achieve mutual authentication and data encryption. The use of the gateway server means you need only one certificate in domain B and only one port through the firewall, as shown in the following illustration.

30

For more information, see the following topics in this security guide: How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007

Setting Up Communication Across a Domain Workgroup Boundary


In your environment, you may have one or two agents deployed to a workgroup inside your firewall. The agent in the workgroup cannot authenticate with the management server in the domain using the Kerberos protocol. A solution to this situation is to install certificates on both the computer hosting the agent and the management server that the agent connects to, as shown in the following illustration. Note In this scenario, the agent must be manually installed.

31

Perform the following steps on both the computer hosting the agent and the management server using the same certification authority (CA) for each: y y y y Request certificates from the CA. Approve the certificate requests on the CA. Install the approved certificates in the computer certificate stores. Use the MOMCertImport tool to configure Operations Manager 2007.

These are the same steps for installing certificates on a gateway server, except you do not install or run the gateway approval tool. For more information, see the following topics in this security guide: How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007

Certificate Generation Wizard


The steps that are necessary to generate, retrieve, and install certificates are in this Security Guide. A certificate generation wizard has been designed to simplify this process. For more information, see the blog post Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard (http://go.microsoft.com/fwlink/?LinkId=128392). Note Use of the certificate generation wizard is provided AS IS, with no warranties, and it confers no rights. Use of this utility is subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Confirming Certificate Installation


If you have properly installed the certificate, the following event is written into the Operations Manager event log.
Level Source Event ID General

Information

OpsMgr Connector

20053

The OpsMgr Connector has loaded the specified authentication certificate successfully.

32

During the setup of a certificate, you run the MOMCertImport tool. When the MOMCertImport tool has finished, the serial number of the certificate that you imported is written to the registry at the following subkey. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings

Authentication and Data Encryption Between Root Management Server, Management Server, Gateway Server, and Agents
Communication among these Operations Manager components begins with mutual authentication. If certificates are present on both ends of the communications channel, then certificates will be used for mutual authentication; otherwise, the Kerberos version 5 protocol is used. If any two components are separated across an untrusted domain, mutual authentication must be performed using certificates. Normal communications, such as events, alerts, and deployment of a management pack, occur over this channel. The previous illustration shows an example of an alert being generated on one of the agents that is routed to the root management server (RMS). From the agent to the gateway server, the Kerberos security package is used to encrypt the data, because the gateway server and the agent are in the same domain. The alert is decrypted by the gateway server and reencrypted using certificates for the management server. After the management server receives the alert, the management server decrypts the message, re-encrypts it using the Kerberos protocol, and sends it to the RMS where the RMS decrypts the alert. Some communication between the RMS and the agent may include credential information; for example, configuration data and tasks. The data channel between the agent and the management server adds another layer of encryption in addition to the normal channel encryption. No user intervention is required.

Root Management Server and Operations Manager Database


Run As Account information is stored in an encrypted form in the Operations Manager Database using a symmetric key pair that was created by Operations Manager 2007. If the root management server (RMS) were to need replacing, the new RMS would not be able to read any of the encrypted data from the database. The SecureStorageBackup tool, included with Operations Manager 2007, is used to back up and restore this encryption key. Important Run the SecureStorageBackup tool to export the root management server key for backup purposes. Without a backup of the root management server key, you would need to reenter all of your Run As Accounts if you had to rebuild the RMS. In larger environments, this rebuild could involve hundreds of accounts. For more information about the 33

SecureStorageBackup tool, see the topic How to Backup and Restore Encryption Keys in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=87387). For information about recovering from disasters involving the loss of the root management server with or without the backup of the encryption key, see the Knowledge Base article titled The Root Management Server encryption key is unavailable after you replace or reinstall the Root Management Server server in Microsoft System Center Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=112310).

Root Management Server and Operations Console, Web Console Server, and Reporting Server
Authentication and data encryption between the root management server (RMS) and the Operations console, Web console server, or Reporting Server is accomplished by using Windows Communication Foundation (WCF) technology (formerly code-named "Indigo"). The initial attempt at authentication is made by using the user's credentials. The Kerberos protocol is attempted first. If the Kerberos protocol does not work, another attempt is made using NTLM. If authentication still fails, the user is prompted to provide credentials. After authentication has taken place, the data stream is encrypted as a function of either the Kerberos protocol or SSL, if NTLM is used. In the case of a Reporting Server and an RMS, after authentication has occurred, a data connection is established between the RMS and SQL Server Reporting Server. This is accomplished by strictly using the Kerberos protocol; therefore, the RMS and Reporting Server must reside in trusted domains. For more information about WCF, see the MSDN article What Is Windows Communication Foundation? (http://go.microsoft.com/fwlink/?LinkId=87429).

Management Server and Reporting Data Warehouse


Two communication channels exist between a management server and the Reporting data warehouse: y y The monitoring host process spawned by the health service (System Center Management service) in either a management server or a root management server The SDK service (System Center Data Access services) in the root management server

Monitoring Host Process and Reporting Data Warehouse


By default, the monitoring host process spawned by the Health Service, which is responsible for writing collected events and performance counters to the data warehouse, achieves Windows Integrated Authentication by running as the Data Writer Account specified during Reporting Setup. The account credential is securely stored in a Run As Account called Data Warehouse Action Account. This Run As Account is a member of a Run As Profile called Data Warehouse Account (which is associated with the actual collection rules). If the Reporting data warehouse and the management server are separated by a trust boundary (for example, each resides in different domains with no trust), then Windows Integrated Authentication will not work. To work around this situation, the monitoring host process can 34

connect to the Reporting data warehouse using SQL Server Authentication. To do this, create a new Run As Account (of Simple Account type) with the SQL account credential and make it a member of the Run As Profile called Data Warehouse SQL Server Authentication Account, with the management server as the target computer. Important By default, the Run As Profile, Data Warehouse SQL Server Authentication Account was assigned a special account through the use of the Run As Account of the same name. Never make any changes to the account that is associated with the Run As Account, Data Warehouse SQL Server Authentication Account. Instead, create your own account and your own Run As Account and make the Run As Account a member of the Run As Profile, Data Warehouse SQL Server Authentication Account when configuring SQL Server Authentication. The following outlines the relationship of the various account credentials, Run As Accounts, and Run As Profiles for both Windows Integrated Authentication and SQL Server Authentication. Default: Windows Integrated Authentication Run As Profile: Data Warehouse Account Run As Account: Data Warehouse Action Account Credentials: Data Writer Account (specified during setup) Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: Data Warehouse SQL Server Authentication Account Credentials: Special account created by Operations Manager (do not change) Optional: SQL Server Authentication Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: A Run As Account you create. Credentials: An account you create.

The System Center Data Access Service or the SDK Service, and Reporting Data Warehouse
The SDK service found in Operations Manager 2007 SP1 is renamed to the System Center Data Access service in Operations Manager 2007 R2. By default, the System Center Data Access service, or SDK service, which is responsible for reading data from the Reporting data warehouse and making it available in the Report Parameter Area, achieves Windows Integrated Authentication by running as the SDK and Config account that was defined during setup of Operations Manager 2007. If the Reporting data warehouse and the management server are separated by a trust boundary (for example, each resides in different domains with no trust), then Windows Integrated Authentication would not work. To work around this situation, the System Center Data Access service or SDK service can connect to the Reporting data warehouse using SQL Server Authentication. To do this, create a new Run As Account (of Simple Account type) with the SQL 35

account credential and make it a member of the Run As Profile called Reporting SDK SQL Server Authentication Account with the management server as the target computer. Important By default, the Run As Profile, Reporting SDK SQL Server Authentication Account was assigned a special account through the use of the Run As Account of the same name. Never make any changes to the account that is associated with the Run As Account, Reporting SDK SQL Server Authentication Account. Instead, create your own account and your own Run As Account, and make the Run As Account a member of the Run As Profile, Reporting SDK SQL Server Authentication Account when configuring SQL Server Authentication. The following outlines the relationship of the various account credentials, Run As Accounts, and Run As Profiles for both Windows Integrated Authentication and SQL Server Authentication. Default: Windows Integrated Authentication SDK and Config Service Account (defined during setup of Operations Manager) Run As Profile: Reporting SDK SQL Server Authentication Account Run As Account: Reporting SDK SQL Server Authentication Account Credentials: Special account created by Operations Manager (do not change) Optional: SQL Server Authentication Run As Profile: Data Warehouse SQL Server Authentication Account Run As Account: A Run As Account you create. Credentials: An account you create.

Operations Console and Reporting Server


The Operations console connects to Reporting Server on port 80 using HTTP. Authentication is performed by using Windows Authentication. Data can be encrypted by using the SSL channel. For more information about using SSL between the Operations console and Reporting Server, see How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 later in the Security Guide.

Reporting Server and Reporting Data Warehouse


Authentication between Reporting Server and the Reporting data warehouse is accomplished using Windows Authentication. The account that was specified as the Data Reader Account during setup of Reporting becomes the Execution Account on Reporting Server. If the password for the account should change, you will need to make the same password change using the Reporting Services Configuration Manager in SQL Server 2005. For more information about resetting this password, see How to Change the Reporting Server Execution Account Password in Operations Manager 2007. The data between the Reporting Server and the Reporting data warehouse is not encrypted.

36

See Also
How to Change the Reporting Server Execution Account Password in Operations Manager 2007 How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007
Before you can configure the Operations console to use SSL when connecting to a Reporting Server, you must first install an SSL certificate on IIS and then configure the Operations console to use SSL. On the Reporting Server, start Internet Information Services (IIS) Manager to request and install an SSL certificate. For more information about how to implement SSL in IIS, see the Knowledge Base article How to implement SSL in IIS (http://go.microsoft.com/fwlink/?LinkId=87862). Use the following procedure to configure the Operations console to use SSL. To configure the Operations Console to use SSL 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Administration button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Administration pane, expand Administration, expand Device Management, and then click Settings. 4. In the Settings pane, right-click Reporting, and then click Properties. 5. In the General tab, under Reporting Server Settings, click the Reporting server URL drop-down list and select https://. 37

6. Edit the URL by replacing :80 with :443, and then click OK.

See Also
How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007
The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must do the following: y y y y y Download the Trusted Root (CA) certificate. Import the Trusted Root (CA) certificate. Create a certificate template. Request a certificate from the enterprise CA. Import the certificate into Operations Manager. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save, and save the certificate; for example Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 38

4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a certificate template 1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage. 3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template. 4. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, OperationsManagerCert). 5. On the Request Handling tab, select Allow private key to be exported, and then click CSPs. 6. In the CSP Selection dialog box, select the cryptographic service provider that best suits your business needs, and then click OK. Note Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider. 7. Click the Extensions tab, and in Extensions included in this template, click 39

Application Policies, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove. 9. Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK. 10. In the Edit Application Policies Extension dialog box, click OK. 11. Click the Security tab, ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK. To add the template to the Certificate Templates folder 1. Within the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue. 2. In the Enable Certificate Templates box, select the certificate template that you created, and then click OK. To request a certificate from an enterprise CA 1. Log on to the computer where you want to install a certificate (for example, gateway server or management server). 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click Request a certificate. 4. On the Request a Certificate page, click Or, submit an advanced certificate request. 5. On the Advanced Certificate Request page, click Create and submit a request to this CA. 6. On the Advanced Certificate Request page, do the following: a. Under Certificate Template, select the name of the template you created (for example, OperationsManagerCert). b. Under Identifying Information For Offline Template, in the Name field, enter a unique name; for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the rest of the fields, enter the appropriate information. Note Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name. c. Under Key Options, click Create a new key set; in the CSP field, select the cryptographic service provider that bests suits your business needs; under Key Size, select a key size that bests suits your business needs; select Automatic key container name; ensure that Mark keys as exportable is selected; clear Export 40

keys to file; clear Enable strong private key protection; and then click Store certificate in the local computer certificate store. Note Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider. d. Under Additional Options, under Request Format, select CMC; in the Hash Algorithm list, select SHA-1; clear Save request to a file; and then in the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for. e. Click Submit. f. If a Potential Scripting Violation message is displayed, click Yes. g. On the Certificate Issued page, click Install this certificate. h. If a Potential Scripting Violation dialog box is displayed, click Yes. i. On the Certificate Installed page, when you see the message that Your new certificate has been successfully installed, close the browser.

To import certificates using MOMCertImport 1. Log on to the computer with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386 and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport /SubjectName <Certificate Subject Name> 7. Press ENTER.

See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 41

How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Obtain a Certificate Using Windows Server 2003 StandAlone CA in Operations Manager 2007
The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must: Perform the following procedures: y y y y Download the Trusted Root (CA) certificate. Import the Trusted Root (CA) certificate Request a certificate from a stand-alone CA. Approve the pending certificate request. If your Certificate Services has been configured to auto-approve certificates, proceed to the next procedure, which is retrieving the certificate. Otherwise, the CA administrator needs to issue the certificate by using the Retrieve the certificate procedure. Retrieve the certificate. Using the MOMCertImport utility, import the certificate into Operations Manager. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save, and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 42

y y

6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To request a certificate from a stand-alone CA 1. Log on to the computer where you want to install a certificate (for example, the gateway server or management server). 2. Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click Request a certificate. 4. On the Request a Certificate page, click Or, submit an advanced certificate request. 5. On the Advanced Certificate Request page, click Create and submit a request to this CA. 6. On the Advanced Certificate Request page, do the following: a. Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information. Note Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name. b. Under Type of Certificate Needed: Click the list, and then select Other. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 c. Under Key Options, make the following selections: Click Create a new key set 43

In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0 Under Key Usage, select Both Under Key Size, select 1024 Select Automatic key container name Select Mark keys as exportable Clear Export keys to file (not required for Windows Server 2008 AD CS) Clear Enable strong private key protection Click Store certificate in the local computer certificate store. d. Under Additional Options: Under Request Format, select CMC In the Hash Algorithm list, select SHA-1 Clear Save request to a file In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for. e. Click Submit. f. If a Potential Security Violation dialog box is displayed, click Yes. g. When a Certificate Pending page displays, close the browser. To approve the pending certificate request 1. Log on to the computer hosting Certificate Services as a certification authority administrator. 2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 3. In Certification Authority, expand the node for your certification authority name, and then click Pending Requests. 4. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue. 5. Click Issued Certificates, and confirm the certificate you just issued is listed. 6. Close Certification Authority. To retrieve the certificate 1. Log on to the computer where you want to install a certificate (for example, the gateway server or management server). 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). 3. On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request. 44

4. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 5. On the Certificate Issued page, click Install this certificate. 6. In the Potential Scripting Violation dialog box, click Yes. 7. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. To import certificates using MOMCertImport 1. Log on to the computer with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport 7. In the Select Certificate dialog box, select the certificate you retrieved in the previous section, and then click OK. Note To help you select the correct certificate if more than one certificate is displayed, select the certificate for which the intended purposes are listed as Server Authentication, Client Authentication and the certificate where the friendly name matches the friendly name you defined above in step 6d in the procedure To request a certificate from a stand-alone CA. 8. In the command dialog box, the message Successfully installed the certificate. Please check Operations Manager log in event viewer to check channel connectivity will be displayed.

See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007

45

How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007
Use the procedures in this topic to obtain a certificate from Windows Server 2008 computer hosting Enterprise Root Active Directory Certificate Services (AD CS). You will use the CertReq command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate. It is assumed that you have AD CS installed, an HTTPS binding has been created, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA. Important The content for this topic is based on the default settings for Windows Server 2008 AD CS; for example, setting the key length to 2048, selecting Microsoft Software Key Storage Provider as the CSP, and using Secure Hash Algorithm 1 (SHA1). Evaluate these selections against the requirements of your companys security policy. The high-level process to obtain a certificate from an Enterprise certification authority (CA) is as follows: 1. Download the Trusted Root (CA) certificate. 2. Import the Trusted Root (CA) certificate. 3. Create a certificate template. 4. Add the template to the Certificate Templates folder. 5. Create a setup information file for use with the CertReq command-line utility. 6. Create a request file. 7. Submit a request to the CA. 8. Import the certificate into the certificate store. 9. Import the certificate into Operations Manager using MOMCertImport. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 46

5. In the File Download dialog box, click Save and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a certificate template 1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage. 3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template. 4. In the Duplicate Template dialog box, select Windows Server 2003 Enterprise Edition, and then click OK. Note The option for Windows Server 2008 Enterprise Edition is not supported at 47

this time. 5. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template; for example, OperationsManagerCert. 6. On the Request Handling tab, select Allow private key to be exported. 7. Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove. 9. Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK. 10. In the Edit Application Policies Extension dialog box, click OK. 11. Click the Security tab and ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK. 12. Close the Certificate Templates console. To add the template to the Certificate Templates folder 1. On the computer that is hosting your Enterprise CA, in the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue. 2. In the Enable Certificate Templates box, select the certificate template that you created; for example, click OperationsManagerCert, and then click OK. To create a setup information (.inf) file 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type Notepad, and then click OK. 3. Create a text file containing the following content: [NewRequest] Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] 48

OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 4. Save the file with an .inf file name extension; for example, RequestConfig.inf. 5. Close Notepad. To create a request file to use with an enterprise CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq New f RequestConfig.inf CertRequest.req, and then press ENTER. 4. Using Notepad, open the resulting file (for example, CertRequest.req), and copy the contents of this file into the clipboard. To submit a request to an enterprise CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, start Internet Explorer, and then connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. Note If an HTTPS binding has not been configured on the Certificate Services Web site, the browser will fail to connect. See the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA in this guide. 2. On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate. 3. On the Request a Certificate page, click advanced certificate request. 4. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 5. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure. 6. In the Certificate Template select the certificate template that you created, for example, OperationsManagerCert, and then click Submit. 7. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 8. In the File Download Security Warning dialog box, click Save, and save the certificate; for example, save as NewCertificate.cer. 9. Close Internet Explorer. 49

To import the certificate into the certificate store 1. On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq Accept NewCertifiate.cer, and then press ENTER. To import the certificate into Operations Manager using MOMCertImport 1. Log on to the computer where you installed the certificate with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport /SubjectName <Certificate Subject Name> 7. Press ENTER.

See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Obtain a Certificate Using Windows Server 2008 StandAlone CA in Operations Manager 2007
Use the procedures in this topic to obtain a certificate from a stand-alone Windows Server 2008 based computer hosting Active Directory Certificate Services (AD CS). You will use the CertReq 50

command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate. It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA. Important The content for this topic is based on the default settings for Windows Server 2008 AD CS; for example, setting the key length to 2048, selecting Microsoft Software Key Storage Provider as the CSP, and using Secure Hash Algorithm 1 (SHA1). Evaluate these selections against the requirements of your companys security policy. The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows: 1. Download the Trusted Root (CA) certificate. 2. Import the Trusted Root (CA) certificate 3. Create a setup information file to use with the CertReq command-line utility. 4. Create a request file. 5. Submit a request to the CA using the request file. 6. Approve the pending certificate request. 7. Retrieve the certificate from the CA. 8. Import the certificate into the certificate store. 9. Import the certificate into Operations Manager using MOMCertImport. To download the Trusted Root (CA) certificate 1. Log on to the computer where you installed a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv. 3. On the Welcome page, click Download a CA Certificate, certificate chain, or CRL. 4. On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain. 5. In the File Download dialog box, click Save and save the certificate; for example, Trustedca.p7b. 6. When the download has finished, close Internet Explorer. To import the Trusted Root (CA) Certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK.

51

3. In the Console1 window, click File, and then click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. 11. Right-click Certificates, select All Tasks, and then click Import. 12. In the Certificate Import Wizard, click Next. 13. On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open. 14. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next. 15. On the Completing the Certificate Import Wizard page, click Finish. To create a setup information (.inf) file 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type Notepad, and then click OK. 3. Create a text file containing the following content: [NewRequest] Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 4. Save the file with an .inf file name extension, for example, RequestConfig.inf. 5. Close Notepad. 52

To create a request file to use with a stand-alone CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq New f RequestConfig.inf CertRequest.req, and then press ENTER. 4. Open the resulting file (for example, CertRequest.req) with Notepad. Copy the contents of this file onto the clipboard. To submit a request to a stand-alone CA 1. On the computer hosting the Operations Manager component for which you are requesting a certificate, start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv). Note If an HTTPS binding has not been configured on the Certificate Services Web site, the browser will fail to connect. See the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA in this guide. 2. On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate. 3. On the Request a Certificate page, click advanced certificate request. 4. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 5. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit. 6. Close Internet Explorer. To approve the pending certificate request 1. Log on as a certification authority administrator to the computer hosting Active Directory Certificate Services. 2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. 3. In Certification Authority, expand the node for your certification authority name, and then click Pending Requests. 4. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.

53

5. Click Issued Certificates, and confirm the certificate you just issued is listed. 6. Close Certification Authority. To retrieve the certificate 1. Log on to the computer where you want to install a certificate; for example, the gateway server or management server. 2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv). 3. On the Microsoft Active Directory Certificate Services Welcome page, click View the status of a pending certificate request. 4. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 5. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 6. In the File Download Security Warning dialog box, click Save, and save the certificate; for example, as NewCertificate.cer. 7. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. 8. Close Internet Explorer. To import the certificate into the certificate store 1. On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. In the command window, type CertReq Accept NewCertifiate.cer, and then press ENTER. To import the certificate into Operations Manager using MOMCertImport 1. Log on to the computer where you installed the certificate with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: 54

MOMCertImport /SubjectName <Certificate Subject Name> 7. Press ENTER.

See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007 How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007

How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007


Use the following procedure to remove certificates that have been imported using the MOMCertImport tool. To remove certificates imported with the MOMCertImport tool 1. Log on to the computer with an account that is a member of the Administrators group. 2. On the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then click OK. 4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER. 5. Type cd\SupportTools\i386, and then press ENTER. Note On 64-bit computers, type cd\SupportTools\amd64 6. Type the following: MOMCertImport /Remove, and then press ENTER.

See Also
How to Configure the Operations Console to Use SSL When Connecting to a Reporting Server in Operations Manager 2007 How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007

55

How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007

How to Change the Run As Account Associated with a Run As Profile


By default, the following Run As Profiles have a Run As Account associated with them. y y y y y Data Warehouse Account Data Warehouse Configuration Synchronization Reader Account Data Warehouse Report Deployment Account Data Warehouse SQL Server Authentication Account Reporting SDK SQL Server Authentication Account

For example, the Run As Profile named Data Warehouse SQL Server Authentication Account has the Run As Account named Data Warehouse SQL Server Authentication Account associated with it. As an example, you can use the following procedure to change the Run As Account associated with the Run As Profile called Data Warehouse SQL Server Authentication Account. It is assumed that the new Run As Account that you want to associate with this Run As Profile has already been created. For more information about Run As Accounts and Run As Profiles, see the topic How to Administer Security Roles, Accounts, and Profiles in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=88131). To change the Run As Account associated with a Run As Profile 1. Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 management group. 2. In the Operations console, click the Administration button. Note When you run the Operations console on a computer that is not a management server, the Connect To Server dialog box displays. In the Server name text box, type the name of the Operations Manager 2007 management server that you want the Operations console to connect to. 3. In the Administration pane, expand Administration, expand Security, and then click Run As Profiles. 4. In the Run As Profiles pane, right-click Data Warehouse SQL Server Authentication Account, and then click Properties. 5. In the Run As Profile - Data Warehouse SQL Server Authentication Account dialog box, and then click the Run As Accounts tab. 6. Under Run As Accounts, click the target computer, and then click Edit. 7. In the Edit Alternate Run As Account dialog box, click the Run As Account list, select the new Run As Account that you want to associate with this Run As Profile, and then 56

click OK. 8. In the Run As Profile - Data Warehouse SQL Server Authentication Account dialog box, click OK.

How to Configure an HTTPS Binding for a Windows Server 2008 CA


If you are setting up a new CA for the first time for use with Operations Manager 2007, use the following procedure to configure an HTTPS binding for the certification authority (CA). To configure an HTTPS binding 1. On the computer hosting your CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the Internet Information Services (IIS) Manager dialog box, in the Connections pane, expand your computer name, expand Sites, and then click Default Web Site. 3. In the Actions pane, click Bindings. 4. In the Site Bindings dialog box, click Add. 5. In the Add Site Binding dialog box, on the Type menu, select https. 6. In the SSL Certificate list, select the entry that matches the name of your computer, and then click OK. 7. In the Site Bindings dialog box, click Close. 8. In the Connections pane, under Default Web Site, click CertSrv. 9. In the /CertSrv Home pane, right-click SSL Settings, and then click Open Feature. 10. In the SSL Settings pane, click Require SSL, and then click Require 128-bit SSL. 11. In the Actions pane, click Apply, and then close Internet Information Services (IIS) Manager.

Authentication and Data Encryption for UNIX and Linux Operating Systems
With Operations Manager 2007 R2, you can deploy agents to UNIX-based or Linux-based computers. In such an environment, Kerberos authentication is not possible. Therefore, certificates are used between the management server and the UNIX-based or Linux-based computers. In this scenario, the certificates are self-signed by the management server. (Although it is possible to use third-party certificates, they are not needed.)

57

There are two methods you can use to deploy agents. You can use the Discovery Wizard or you can manually install an agent. Of these two methods, manually installing an agent is the more secure option. When you use the Discovery Wizard to push agents to UNIX-based or Linuxbased computers, you trust that the computer that you are deploying to is really the computer that you think it is. When you use the Discovery Wizard to deploy agents, it involves greater risk than when you deploy to computers on the public network or in a DMZ. In this section of the Security Guide, we will discuss how to manually deploy an agent to a UNIX-based or Linux-based computer. When you use the Discovery Wizard to deploy an agent, the Discovery Wizard performs the following functions: Deployment The Discovery Wizard copies the agent package to the UNIX-based or Linux-based computer and then starts the installation process. Operations Manager retrieves the certificate from the agent, signs the certificate, deploys the certificate back to the agent, and then restarts the agent. The Discovery Wizard discovers the computer and tests to see that the certificate is valid. If the Discovery Wizard verifies that the computer can be discovered and that the certificate is valid, the Discovery Wizard adds the newly discovered computer to the Operations Manager database.

Certificate Signing

Discovery

When you manually deploy an agent, you perform the first two steps that are typically handled by the Discovery Wizard, deployment and certificate signing. Then, you use the Discovery Wizard to add the computer to the Operations Manager database. If there are existing certificates on the system, they are reused during agent installation. New certificates are not created. Certificates are not automatically deleted when you uninstall an agent. You must manually delete the certificates that are listed in the /etc/opt/microsoft/scx/ssl folder. To regenerate the certificates at install, you must remove this folder before agent installation. Hash values for the agent binaries are available in Appendix B - List of Hash Values for UNIX and Linux Agents in this guide. For instructions on how to manually deploy an agent, see the Manually Installing Cross-platform Agents topic in the Operations Manager 2007 R2 Operations Guide (http://go.microsoft.com/fwlink/?LinkID=146211), and then use the following procedure to install the certificates. 58

UNIX and Linux Firewall Considerations


If you have a firewall on your UNIX-based or Linux-based computer, you must open port 1270 (inbound). This port number is not configurable. If you are deploying agents in a low security environment and you use the Discovery Wizard to deploy and sign the certificates, you must open the SSH port. The SSH port number is configurable. By default, SSH uses inbound TCP port 22.

How to Manually Install Certificates for Cross-Platform Support


You must have already manually installed an agent before you start this procedure. You will need a root or elevated account to perform the procedure. To install certificates for cross-platform support 1. On the computer that is hosting the UNIX or Linux operating system, locate the file /etc/opt/microsoft/scx/ssl/scx-host-<hostname>.pem and securely copy or transfer it to any location on the computer that is hosting Operations Manager 2007 R2. 2. On the computer that is hosting Operations Manager 2007 R2, on the Windows desktop, click Start, and then click Run. 3. In the Run dialog box, type cmd, and then press ENTER. 4. Change directories to the location where you copied scx.pem. 5. Type the command scxcertconfig -sign scx-host-<hostname>.pem scx_new.pem, and then press ENTER. This command will self-sign your certificate (scx-host<hostname>.pem) and then save the new certificate (scx-host-<hostname>_new.pem). Note Ensure that the location where Operations Manager is installed is in your path statement, or use the fully qualified path of the scxcertconfig.exe file. 6. Securely copy or transfer the scx_new.pem file into the /etc/opt/microsoft/scx/ssl folder on the computer that is hosting the UNIX or Linux operating system. This replaces the original scx-host-<hostname>.pem file. 7. Restart the agent by typing sxadmin restart. To discover a UNIX or Linux computer by using Operations Manager 2007 R2 1. On the computer that is hosting Operations Manager 2007 R2, start the Operations Manager console, and then click Administration. 2. In the Administration pane, click Discovery Wizard. 3. In the Computer and Discovery Management Wizard, on the Discovery Type page, click Unix/Linux computers, and then click Next. 4. On the Discovery Method page, click Add. 5. In the Define discovery criteria dialog box, in the Discovery scope area, select DNS name, and then type the fully qualified domain name of the UNIX or Linux computer that 59

you want to add. 6. In the Credentials area, type the username and password of a valid account, and then click OK. 7. On the Discovery Method page, make sure that Enable SSH based discovery is not selected; if it is necessary, select the management server that you used to sign the certificate, and then click Discover. 8. On the Select Computers to Manage page, select the computer, and then click Next. 9. On the Summary page, click Done.

Using a Firewall with Operations Manager 2007


Security Hardening Guide
The Microsoft Operations Manager 2007 Security Hardening Guide provides you with essential information about how to further protect, or harden, your Operations Manager 2007 environment by using the Security Configuration Wizard (SCW). SCW is an attack-surface reduction tool for products that are running the Windows Server 2003 Service Pack 1 (SP1) operating systems, the Windows Server 2003 Service Pack 2 (SP2) operating systems, and the Windows Server 2003 R2 operating systems. In addition to practical, hands-on configuration recommendations, this guide includes information about how to upgrade an agent that has been locked down, how to customize port numbers that have been changed from their default settings, and some examples for hardening a server and an agent. Although most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators who are responsible for Operations Manager 2007 security. For more information, see the System Center Operations Manager 2007 SCW Roles and Security Hardening Guide for Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=120136).

Connecting to the Reporting Data Warehouse Across a Firewall


This section describes how to configure your environment to support the placing of a Report data warehouse behind a firewall. Note Separating the Operations console, root management server, management server, or Reporting Server by either a firewall or across a trust boundary is not supported. In an environment where the Reporting data warehouse is separated from the root management server and Reporting Server by a firewall, Windows Integrated Authentication cannot be used. You need to take steps to configure SQL Server Authentication. The following sections explain how to enable SQL Server Authentication between the root management server (or management 60

server), the Reporting Server, and the Reporting data warehouse, as shown in the following illustration.

Management Server and Reporting Data Warehouse


The following steps are necessary to enable SQL Server Authentication: 1. On the computer hosting the Reporting data warehouse, create a SQL Login in the proper role for reader and writer. The credentials you supply for this account must be made a member of the following roles in the OperationsManagerDW database on the computer running SQL Server: a. OpsMgrWriter b. db_owner (only for the owning management group in the database) 2. On the computer hosting the root management server, create a Run As Account (of type Simple) with the credentials from the previous step. 3. Associate this Run As Account with the Run As Profile called Data Warehouse SQL Server Authentication Account, targeting this Run As Profile to each management server. For more information, see How to Change the Run As Account Associated with a Run As Profile in this guide. If there is a firewall between the management server and the Reporting data warehouse, you will need to open port 1433.

Reporting Server and Reporting Data Warehouse


If there is a firewall or trust boundary between the Reporting Server and the Reporting data warehouse, point-to-point communications will need to be established.

61

The account that was specified as the Data Reader Account during setup of Reporting becomes the Execution Account on Reporting Server, and it is this account that will be used to connect to the Reporting data warehouse. You will need to determine what port number the computer running SQL Server on the Reporting data warehouse is using and enter this number into the dbo.MT_DataWarehouse table in the Operations Manager database. See How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port in this guide.

Reporting Server and Root Management Server Separated by a Firewall


A "Could not verify if current user is in sysadmin Role" error message might display when installing Reporting if the reporting server and the root management server are separated by a firewall. This error message might display even if the proper firewall ports have been opened. This error occurs after entering the computer name for the root management server and clicking Next. This error might also display because Reporting Setup was unable to connect to the Operations Manager database on the root management server. In this environment you will need to determine what port number is being used by the computer running SQL Server and configure the Operations Manager database to use the port number. See the topic How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port in this guide.

Port Assignments
The following table shows Operations Manager 2007 component interaction across a firewall, including information about the ports used for communication between the components, which direction to open the inbound port, and whether the port number can be changed.
Operations Manager 2007 SP1 Component A Port Number and Direction Operations Manager 2007 SP1 Component B Configurable Note

root management server

1433 --->

Operations Manager database Operations Manager database

Yes (Setup)

management server 1433 --->

Yes (Setup)

management server 5723, 5724 --- root management > server

No

Port 5724 must be open to install this component and can be closed after this component has been installed. 62

Operations Manager 2007 SP1 Component A

Port Number and Direction

Operations Manager 2007 SP1 Component B

Configurable

Note

gateway server root management server Reporting server

5723 ---> 1433 --->

root management server Reporting data warehouse

No No No Port 5724 must be open to install this component and can be closed after this component has been installed.

5723, 5724 --- root management > server

Operations console Connector framework source

5724 ---> 51905 --->

root management server root management server root management server Web console server

No No No Yes (IIS Admin) Port 51908 is the default port used when selecting Windows Authentication. If you select Forms Authentication, you will need to install an SSL certificate and configure an available port for https functionality for the Operations Manager 2007 WebConsole Web site.

Web console server 5724 ---> Web console browser 51908 --->

connected root 5724 ---> management server (Local)

connected root management server (Connected)

No

63

Operations Manager 2007 SP1 Component A

Port Number and Direction

Operations Manager 2007 SP1 Component B

Configurable

Note

Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi Agent installed using MOMAgent.msi gateway server Agent (Audit Collection Services forwarder) Agentless Exception Monitoring data from client Customer Experience Improvement Program data from client Operations console (reports)

5723 --->

root management server management server gateway server

Yes (Setup)

5723 --->

Yes (Setup)

5723 --->

Yes (Setup)

5723 ---> 51909 --->

management server management server Audit Collection Services collector management server Agentless Exception Monitoring file share management server (Customer Experience Improvement Program End) Point SQL Reporting Services

Yes (Setup) Yes (Registry)

51906 --->

Yes (Client Monitoring Wizard)

51907 --->

Yes (Client Monitoring Wizard)

80 --->

No

The Operations console uses Port 80 to connect to the SQL Reporting Services Web site.

Reporting server

1433 --->

Reporting data warehouse Audit Collection Services

Yes Yes

management server 1433 ---> (Audit Collection

64

Operations Manager 2007 SP1 Component A

Port Number and Direction

Operations Manager 2007 SP1 Component B

Configurable

Note

Services collector)

database

How to Configure the Operations Manager Database to Listen on a Specific TCP/IP Port
Perform the following steps to configure a static port for the Operations Manager database: y Use the SQL Server Configuration Manager to disable dynamic port addressing, specify a static port, disable and stop the SQL Server Browser service, and then restart the SQL Server <Instance> service. Edit the dbo.MT_ManagementGroup table with the static port number. Edit the registry to configure the static port number on the root management server. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any important data. To configure the Operations Manager database port number 1. Log on to the computer hosting the Operations Manager database. 2. On the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Configuration Manager. 3. In the SQL Server Configuration Manager dialog box, expand SQL Server 2005 Network Configuration, and then click Protocols for <INSTANCE>. 4. In the results pane, right-click TCP/IP, and then click Properties. 5. In the TCP/IP Properties dialog box, click the IP Addresses tab. 6. Several IP addresses appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP address on the computer. Expand IP1, IP2, up to IPAll. 7. For the IPn areas, if the TCP Dynamic Ports dialog box contains a 0, indicating the Database Engine is listening on dynamic ports, delete the 0. 8. In the IPAll area, if the TCP Dynamic Ports dialog box contains a port number (which indicates the dynamic port number that was assigned), delete the port number. 9. In the IPAll area, in the TCP Port dialog box, enter the static port number you want to use, and then click OK. 10. In the SQL Server Configuration Manager dialog box, click SQL Server 2005 Services. 65

y y

11. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and select Properties. 12. In the SQL Server Browser Properties dialog box, click the Service tab. 13. In the Service tab, click Start Mode. In the Start Mode list, click Disabled, and then click OK. 14. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and then click Stop. 15. In the results pane, right-click SQL Server (<instance name>), and then click Restart. 16. Close the SQL Server Configuration Manager. To enter the SQL Server port number into the dbo.MT_ManagementGroup table 1. On the computer hosting the Operations Manager database, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server name, instance, and port number for your Operations Manager database (for example, computer\<instance>). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManager, expand Tables, right-click dbo.MT_ManagementGroup, and then click Open Table. 6. In the results pane, scroll to the right to the column titled SQLServerName_<guid>. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\INSTANCE1, <port>). 8. Click File, and then click Exit. To edit the registry on the root management server 1. Log on to the computer hosting the root management server. 2. On the Windows desktop, click Start, click Run, type regedit, and then click OK. 3. On the Registry Editor page, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Microsoft Operations Manager, expand 3.0, and then click Setup. 4. In the results pane, right-click DatabaseServerName, and then click Modify. 5. In the Edit String dialog box, in the Value data text box, append the database server name entry with a comma and a space, and then type the port number. For example, <comuter_name>\<instance>, <port number>. 6. Click OK.

66

How to Configure the Reporting Data Warehouse to Listen on a Specific TCP/IP Port
Perform the following procedures to configure a static port for the Reporting data warehouse: y Use the SQL Server Configuration Manager to disable dynamic port addressing, specify a static port, disable and stop the SQL Server Browser service, and then restart the SQL Server <Instance> service. Edit the dbo.MT_ManagementGroup table with the static port number. Edit the dbo.MemberDatabase table with the static port number. Edit the registry to configure the static port number on the root management server. Caution Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any important data. y Edit the SQL Server Reporting Services settings. To configure the Operations Manager database port number 1. Log on the computer hosting the Reporting data warehouse. 2. On the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and then click SQL Server Configuration Manager. 3. In the SQL Server Configuration Manager dialog box, expand SQL Server 2005 Network Configuration, and then click Protocols for <INSTANCE>. 4. In the results pane, right-click TCP/IP, and then click Properties. 5. In the TCP/IP Properties dialog box, click the IP Addresses tab. 6. Several IP addresses appear in the format IP1, IP2, up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP Address on the computer. Expand IP1, IP2, up to IPAll. 7. For the IPn areas, if the TCP Dynamic Ports dialog box contains a 0, indicating the Database Engine is listening on dynamic ports, delete the 0. 8. In the IPAll area, if the TCP Dynamic Ports box contains a port number (which indicates the dynamic port number that was assigned) delete the port number. 9. In the IPAll area, in the TCP Port dialog box, enter the static port number you want to use, and then click OK. 10. In the SQL Server Configuration Manager dialog box, click SQL Server 2005 Services. 11. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser and select Properties. 12. In the SQL Server Browser Properties dialog box, click the Service tab. 13. On the Service tab, click Start Mode. In the Start Mode list, click Disabled, and then 67

y y y

click OK. 14. In the SQL Server Configuration Manager results pane, right-click SQL Server Browser, and then click Stop. 15. In the results pane, right-click SQL Server (<instance name>) and then click Restart. 16. Close the SQL Server Configuration Manager. To enter the SQL Server port number into the dbo.MT_ManagementGroup table 1. On the computer hosting the Operations Manager database, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server and instance for your Operations Manager database (for example, computer\INSTANCE1). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManager, expand Tables, right-click dbo.MT_DataWarehouse, and then click Open Table. 6. In the results pane, scroll to the right to the column titled MainDatabaseServerName_<guid>. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\<instance>, <port>). 8. Click File, and then click Exit. To enter the SQL Server port number into the dbo.MemberDatabase table 1. On the computer hosting the Reporting data warehouse, on the Windows desktop, click Start, point to Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio. 2. In the Connect to Server dialog box, in the Server type list, select Database Engine. 3. In the Server name list, type the server and instance for your Operations Manager database (for example, computer\<instance>). 4. In the Authentication list, select Windows Authentication, and then click Connect. 5. In the Object Explorer pane, expand Databases, expand OperationsManagerDW, expand Tables, right-click dbo.MemberDatabase, and then click Open Table. 6. In the results pane, scroll to the right to the column titled ServerName. 7. In the first row, enter computer\<instance> followed by a comma, a space, and then the SQL Server port number (for example, computer\<instance>, <port>). 8. Click File, and then click Exit. To edit the registry on the Reporting Server 68

1. Log on to the computer hosting the root management server. 2. On the Windows desktop, click Start, click Run, type regedit, and then click OK. 3. On the Registry Editor page, expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Microsoft Operations Manager, expand 3.0, and then click Reporting. 4. In the results pane, right-click DWDBInstance, and then click Modify. 5. In the Edit String dialog box, in the Value data text box, append the database server name entry with a comma and a space, and then type the port number. For example, <comuter_name>\<instance>, <port number>. 6. Click OK. To edit SQL Server Reporting Services 1. Log on to the computer hosting the root management server. 2. Start Internet Explorer and connect to http://<computer name>/reports$<instance name>. 3. Click the Contents tab. 4. On the right side of the toolbar, click Show Details. 5. Click Data Warehouse Main. 6. In the Connection string text box, locate the line that reads source=<computer>\<instance>;initial. 7. Append the instance name with a comma and a space, and then type the static port number. For example, source=<computer>\<instance>, <port>;initial. 8. Click Apply, and then close the browser.

Using Certificates with ACS in Operations Manager 2007


When the Audit Collection Service (ACS) Forwarder is located in a domain separate from the domain where the ACS Collector is located, and no two-way trust exists between the two domains, certificates must be used so that authentication can take place between the ACS Forwarder and the ACS Collector. It is assumed that the following events have already taken place on the computer hosting the ACS Forwarder before setting up certificates for ACS: y An agent has been installed on the computer that will serve as the ACS Forwarder. For more information, see the topic How to Deploy the Operations Manager 2007 Agent Using the Agent Setup Wizard (http://go.microsoft.com/fwlink/?LinkId=91128).

69

y

A certificate (and certification authority [CA] certificate) has been installed on the computer hosting the agent. For more information, see the topic Certificates in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=91129).

On the computer hosting the ACS Collector, it is assumed that the following has been performed before setting up certificates for ACS. y A certificate (and CA certificate) has been installed on the management server hosting the ACS Collector. For more information, see the topic Certificates in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=91129). The pending agent has been approved and communication between the agent and the management server is operating properly (the agent appears as Healthy in the Operations Manager Console and Management Packs have been deployed to the agent). For more information, see the topic How to Approve an Operations Manager 2007 Agent Installed for a Management Group Using MOMAgent.msi (http://go.microsoft.com/fwlink/?LinkId=91130). The ACS Collector and Database has been installed. For more information, see the topic How to Install an ACS Collector and Database (http://go.microsoft.com/fwlink/?LinkId=91142).

y

y

The following is a high-level overview of the steps that need to be performed to use certificates with ACS. Note Certificates used on various components in Operations Manager 2007 (for example, ACS Collector, ACS Forwarder, agent, gateway server, management server, or root management server) must be issued by the same CA. On the computer hosting the ACS Collector: y y y Run ADTServer -c. Map the ACS Forwarder Certificate in Active Directory. In the Operations Manager Console, enable ACS. Export the certificate to a disk, USB flash drive, or network share. Run ADTAgent -c.

On the computer hosting the ACS Forwarder: y y

See Also
How to Configure Certificates on the ACS Collector in Operations Manager 2007 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007

70

How to Configure Certificates on the ACS Collector in Operations Manager 2007


After certificates have been installed between the agent and the management server and ACS have been deployed, perform the following procedures on the computers hosting the ACS Collector as part of the steps necessary to configure ACS to use certificates. Note After you have completed these procedures, you will need to enable the ACS Forwarders. For more information, see the topic How To Enable ACS Forwarders In Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=91143). To assign a certificate to the ACS Collector 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operating System is installed), and then press ENTER. 4. Type cd %systemroot%, and then press ENTER. 5. Type cd system32\security\adtserver, and then press ENTER. 6. Type net stop adtserver, and then press ENTER. 7. Type adtserver -c, and then press ENTER. 8. In the numbered list of certificates, find the certificate used for Operations Manager, type the number in the list (should be 1), and then press ENTER. 9. Type net start adtserver and then press ENTER. To configure named mapping to the certificate 1. Log on to the computer hosting Active Directory. 2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 3. Expand the domain name, right-click Computers, point to New, and then click Computer. 4. In the New Object - Computer dialog box, enter the NetBIOS name of the computer that is hosting the ACS Forwarder, and then click Next. Repeat this step for every computer that hosts an ACS Forwarder. 5. In the Managed dialog box, ensure that This is a managed computer is not selected, and then click Next. 6. In the New Object - Computer dialog box, click Finish. 7. In Active Directory Computers and Users, in the right pane, right-click the computer (or computers) you added, and then click Name Mappings. 8. In the Security Identity Mapping dialog box, click X.509 Certificates, and then click 71

Add. 9. In the Add Certificate dialog box, click the Look in menu, select the location where the exported certificate is located, and then click Open. 10. In the Add Certificate dialog box, ensure that Use Subject for alternate security identity is selected, and then click OK. 11. In the Security Identity Mapping dialog box, click OK. 12. Repeat steps 411 for each computer you have added.

See Also
Using Certificates with ACS in Operations Manager 2007 How to Configure Certificates on the ACS Forwarder in Operations Manager 2007

How to Configure Certificates on the ACS Forwarder in Operations Manager 2007


After certificates have been installed between the agent and the management server and ACS has been deployed, perform the following procedures on the computers hosting the ACS Forwarder as part of the steps necessary to configure ACS to use certificates. To export the certificate 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type mmc, and then click OK. 3. On the File menu, click Add/Remove Snap-in. 4. In the Add/Remove Snap-in dialog box, click Add. 5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 6. In the Certificates snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, select Local computer (the computer this console is running on), and then click Finish. 8. In the Add Standalone Snap-in dialog box, click Close. 9. In the Add/Remove Snap-in dialog box, click OK. 10. In the Console Root\Certificates (Local Computer) pane, expand Certificates (Local Computer), expand Personal, and then click Certificates. 11. In the results pane, right-click the certificate you are using for Operations Manager, point to All Tasks, and then click Export. 12. In the Certificate Export Wizard, on the Welcome page, click Next. 13. On the Export Private Key page, select No, do note export the private key, and then click Next. 14. On the Export File Format page, select DER encoded binary X.509 (.CER), and then 72

click Next. 15. On the File to Export page, click Browse. 16. On the Save As page, select a folder and file name for the certificate, ensure that the Save as type is set to DER Encoded Binary X.509 (*.cer), and then click Save. Note You will need to copy this certificate to the computer hosting the ACS Collector, so choose a location that the ACS Collector can read from, or consider saving the certificate to a disk, USB flash drive, or network share. In addition, it is recommended that you include the computer name in the file name if you are exporting certificates from more than one computer. 17. On the File to Export page, ensure that the path and file name are correct, click Next, and then click Finish. To run the adtagent command 1. On the Windows desktop, click Start, and then click Run. 2. In the Run dialog box, type cmd, and then click OK. 3. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operating System is installed), and then press ENTER. 4. Type cd %systemroot% and then press ENTER. 5. Type cd system32 and then press ENTER. 6. Type adtagent -c and then press ENTER. 7. You will see a numbered list of certificates. Find the certificate used for Operations Manager, type the number in the list (should be 1), and then press ENTER. 8. Type exit to close the command window.

See Also
How to Configure Certificates on the ACS Collector in Operations Manager 2007 Using Certificates with ACS in Operations Manager 2007

Security Considerations for Agentless Management in Operations Manager 2007


Agentless management allows you to monitor computers without installing an agent on them. For example, you can use agentless management for computers that are in special environments where an agent cannot be installed. The management server communicates to the agentless-managed computer over the RPC port (TCP 135) and the DCOM port range, and therefore using agentless management for a computer outside a firewall is not supported. 73

To use agentless management, the management servers action account must also be a local administrator on the remote computer and must be in the same domain, or a trust relationship must exist between their domains. For example, an agent proxy running as a low privilege account will fail to the access WMI namespace, and therefore rules, scripts, and monitors will fail to run.

Web Console Security in Operations Manager 2007


The Web console server provides a browser-based alternative to the Monitoring pane of the Operations Manager 2007 Operations console. The Web console server is commonly used when you want to access Operations Manager 2007 management group monitoring data in the following ways: y y y y From the Internet Without installing the Operations console From a location with low-bandwidth connectivity When notifications are configured to contain hyperlinks to the relevant alerts in the Web console

Installing the Web console results in the installation of a new Web site, and a new application pool into Internet Information Services (IIS). The new Web site is named Operations Manager 2007 Web console, and the new application pool is named OPWebConsoleApp. The default port for accessing the Web console from a browser using Windows-based authentication is 51908. During the installation of the Web console, you are prompted to select either Windows Authentication or Forms Authentication. With Windows Authentication, Microsoft strongly recommends using SSL. With Forms Authentication, SSL is required. Windows Authentication can be used if all of your users access Operations Manager from within the intranet. Note The Web console server must be installed on the root management server if you select Windows Authentication. If your users will be accessing the Web console from the Internet, select Forms Authentication. Note The best practice for accessing the Web console from the Internet is to use forms-based authentication with SSL with the Web console. With either forms-based or Windows-based authentication, the credentials you provide must be a member of a user role in Operations Manager 2007.

74

Exposing the Web Console to the Internet


The best practice for implementing Internet access to the Web console is to place the Web console server in an Internet-facing perimeter network. Configure the Web console to use formsbased authentication, and install an SSL/TLS certificate on IIS. You will need to open port 5724 between the Web console server and Operations Manager 2007. The channel between the Web console server and the root management server is encrypted. For more information, see the Knowledge Base article How to implement SSL in IIS (http://go.microsoft.com/fwlink/?LinkId=87862).

Appendix A - List of Operations in Operations Manager 2007


This appendix provides a list of the operations in Operations Manager 2007 that are available for each profile.

Report Operator
The Report Operator profile includes a set of privileges designed for users who need access to reports. A role based on the Report Operator profile grants members the ability to view reports according to their configured scope. Retrieve the instance of the data warehouse for the management group Write to favorite reports Delete favorite reports Read favorite reports Update favorite reports Read reports Run reports

Read-Only Operator
The Read-Only Operator profile includes a set of privileges designed for users who need readonly access to alerts and views. A role based on the Read-Only Operators profile grants members the ability to view alerts and access views according to their configured scope. Read alerts Retrieve the instance of the data warehouse for the management group Read state of a resolution Read instance of a connector Read console tasks Enumerate diagnostic objects Enumerate the results of diagnostics 75

Enumerate discovery objects as defined in a management pack Read discovery rules Read events Write to favorite console tasks Delete favorite console tasks Enumerate favorite console tasks Update favorite console tasks Write favorite views Delete favorite views Enumerate favorite views Update favorite views Enumerate monitoring objects Enumerate monitoring classes Enumerate monitoring relationship classes Enumerate management packs Enumerate monitor types Enumerate module types Enumerate monitors Enumerate overrides Enumerate performance data Enumerate discovery objects as defined in a management pack Enumerate the status of past recoveries Enumerate relationship between monitored objects Enumerate rules Enumerate saved searches Update saved searches Write to saved searches Delete saved searches Enumerate state Allows access to connected management groups Enumerate views Enumerate view types

Operator
The Operator profile includes a set of privileges designed for users who need access to alerts, views, and tasks. A role based on the Operators profile grants members the ability to interact with 76

alerts, run tasks, and access views according to their configured scope. The Operator profile contains all of the privileges found in the Read-Only Operator profile in addition to those listed below. Update alerts Run diagnostics Create favorite tasks Delete favorite tasks Enumerate favorite tasks Update favorite tasks Run recovery routines Update maintenance mode settings Enumerate notification actions Delete notification actions Update notification actions Enumerate notification endpoints Enumerate notification recipients Delete notification recipients Update notification recipients Enumerate notification subscriptions Delete notification subscriptions Update notification subscriptions Enumerate tasks Enumerate task status Run tasks

Advanced Operator
The Advanced Operator profile includes a set of privileges designed for users who need access to limited tweaking of monitoring configurations in addition to the Operators privileges. A role based on the Advanced Operators profile grants members the ability to override the configuration of rules and monitors for specific targets or groups of targets within the configured scope. The Advanced Operator profile contains all of the privileges found in the Operator and Read-Only Operator profiles in addition to those listed below. Update management packs Enumerate templates

77

Author
The Author profile includes a set of privileges designed for authoring monitoring configurations. A role based on the Authors profile grants members the ability to create, edit, and delete monitoring configuration (tasks, rules, monitors, and views) within the configured scope. For convenience, Authors can also be configured to have Advanced Operator privileges scoped by group. The Author profile contains all of the privileges found in the Advanced Operator, Operator, and ReadOnly Operator profiles in addition to those listed below. Create management packs Delete management packs Enumerate Run As Profiles

Administrator
The Administrator profile includes full privileges to Operations Manager. No scoping of the Administrator profile is supported. The Administrator profile contains all of the privileges found in the Author, Advanced Operator, Operator, and Read-Only Operator profiles in addition to those listed below. Create a resolution state Delete a resolution state Update a resolution state Deploy an agent Repair or update an installed agent Uninstall an agent Enumerate agent settings Update agent settings Enumerate agents Start or stop managing computers or devices via a proxy health service Enumerate computers or devices managed via a proxy health service Insert a new instance of a computer or device Delete an instance of a computer or device Run discovery task Create events Enumerate global settings Update global settings Export management packs Enumerate management servers Delete notification endpoint Update notification endpoint 78

Create performance data Create Run As Accounts Delete Run As Accounts Enumerate Run As Accounts Update Run As Accounts Create mappings between Run As Accounts and Run As Profiles Delete mappings between Run As Accounts and Run As Profiles Enumerate mappings between Run As Accounts and Run As Profiles Update mappings between Run As Accounts and Run As Profiles Create connected management groups Delete connected management groups Enumerate user roles Delete user roles Update user roles Write favorite reports Delete favorite reports Read favorite reports Update favorite reports Read reports Run reports

Report Security Administrator


The Report Security Administrator profile includes a set of privileges designed to enable the integration of SQL Server Reporting Services security with Operations Manager. Export management packs Enumerate classes as defined in the management packs Enumerate management packs Run reports Enumerate rules

Appendix B - List of Hash Values for UNIX and Linux Agents


This appendix lists the hash values for the agent binaries for UNIX-based and Linux-based computers.

79

MD5 Hash Values


Agent File MD5 Hash

AIX 5.3 POWER AIX 6.1 POWER HPUX 11iv2 IA64 HPUX 11iv2 PARISC HPUX 11iv3 IA64 HPUX 11iv3 PARISC RHEL 4 x64 RHEL 4 x86 RHEL 5 x64 RHEl 5 x86 SLES 9 x86 SLES 10 x64 SLES 10 x86

scx-1.0.4-248.aix.5.ppc.lpp.gz scx-1.0.4-248.aix.6.ppc.lpp.gz scx-1.0.4248.hpux.11iv2.ia64.depot.Z scx-1.0.4248.hpux.11iv2.parisc.depot.Z scx-1.0.4248.hpux.11iv3.ia64.depot.Z scx-1.0.4248.hpux.11iv3.parisc.depot.Z scx-1.0.4-248.rhel.4.x64.rpm scx-1.0.4-248.rhel.4.x86.rpm scx-1.0.4-248.rhel.5.x64.rpm scx-1.0.4-248.rhel.5.x86.rpm scx-1.0.4-248.sles.9.x86.rpm scx-1.0.4-248.sles.10.x64.rpm scx-1.0.4-248.sles.10.x86.rpm

a8ef3ebbed8cef7e98030b77ce01079f 9d9a43a34576cc29cd150b947017d3fe 6d4faad6e35830d8df01cf2afcc33243 12a611c53a9f02b8c49be1a6d4966e58 855518128e2a96b976b2dbdca6dec164 5a08f1eadb99dc30d1ec25b2a8add395 4e6a0800d2a579c35837373ee988a3f2 5d059616e158d0cb0d36e43c81e4b218 1f47c05508f94ecd4329facbf6ff4d97 ac291fff0ae029c46b4bb9b0fc65226e 2a81ce3f40eabe605f1c8ddcad141c28 9911d90e16445b32ecc4d6aed9775ff1 04f77082ddb4c12da045b298dc1eab61 b3f5ab647d34d54b43f0810bb002f4c6 eb67396ee081155615b5a2d5e851a176 99ed166b51517b4356f66276b2b223dc dcf30dc553939aed648d0353342005cd

Solaris 8 SPARC scx-1.0.4248.solaris.8.sparc.pkg.Z Solaris 9 SPARC scx-1.0.4248.solaris.9.sparc.pkg.Z Solaris 10 SPARC Solaris 10 x86 scx-1.0.4248.solaris.10.sparc.pkg.Z scx-1.0.4248.solaris.10.x86.pkg.Z

SHA1 Hash Values

80

Agent

File

SHA1

AIX 5.3 POWER AIX 6.1 POWER HPUX 11iv2 IA64 HPUX 11iv2 PARISC HPUX 11iv3 IA64 HPUX 11iv3 PARISC

scx-1.0.4-248.aix.5.ppc.lpp.gz scx-1.0.4-248.aix.6.ppc.lpp.gz scx-1.0.4248.hpux.11iv2.ia64.depot.Z scx-1.0.4248.hpux.11iv2.parisc.depot.Z scx-1.0.4248.hpux.11iv3.ia64.depot.Z scx-1.0.4248.hpux.11iv3.parisc.depot.Z

da18adfccd7eae140ddca6177b9470e0b5776dfc cf702d3e13254eb6c8eb476c748eba346b5e775b ceaf9b0d732ac94184d7ccedfdb2e3b4c1b761d7 cfa64d3d29f4ce7404229c6418983946cb46d415

2e33c132f73e8355f663c864e9c5f39ac4a7c1c0 e1836db997d1992fdf9a0d2c9b41938f5bf880ec

RHEL 4 x64 scx-1.0.4-248.rhel.4.x64.rpm RHEL 4 x86 scx-1.0.4-248.rhel.4.x86.rpm RHEL 5 x64 scx-1.0.4-248.rhel.5.x64.rpm RHEl 5 x86 scx-1.0.4-248.rhel.5.x86.rpm

7061fbaa60f7b7b260445a26a0783f2b663c18df a36c7c3abed1db65bf1c21d5d1eb0b30ef57afe3 c112b0093c020615ee93e61b32e8f705a0f324b3 9bf4a5e8acaf24497cd24bf16017a1b173cb1d50 63796e9167ce6a04fe82eb5202c3c98dfa0dd37c 391004f7535a7185d6817ed327c024b2d0e3777a b6b9923b47753d013b69f1abd638f1a9c0788234 08c2059863c4aaa5ee79790a83bb8f9da4b3240a 21f14b470de0e8d311c66d55e438c55688c5aadf de0ddcf80dce18e0599ec20d29b57145126cee55 499526bb43cb3ce9db6d7cf122b6bd5f15858bb4

SLES 9 x86 scx-1.0.4-248.sles.9.x86.rpm SLES 10 x64 SLES 10 x86 Solaris 8 SPARC Solaris 9 SPARC Solaris 10 SPARC Solaris 10 x86 scx-1.0.4-248.sles.10.x64.rpm scx-1.0.4-248.sles.10.x86.rpm scx-1.0.4248.solaris.8.sparc.pkg.Z scx-1.0.4248.solaris.9.sparc.pkg.Z scx-1.0.4248.solaris.10.sparc.pkg.Z scx-1.0.4248.solaris.10.x86.pkg.Z

81

SHA256 Hash Values


Agent File SHA256

AIX 5.3 POW ER AIX 6.1 POW ER HPUX 11iv2 IA64 HPUX 11iv2 PARI SC HPUX 11iv3 IA64 HPUX 11iv3 PARI SC RHEL 4 x64 RHEL 4 x86 RHEL 5 x64 RHEl 5 x86 SLES 9 x86 SLES 10

scx-1.0.4248.aix.5.ppc.lpp.gz

40f93e6c5dabc07ae983814bd24bae2f9f53448dcd51d5cb4ac4 3e47e51a2506

scx-1.0.4248.aix.6.ppc.lpp.gz

670e02e9af19bb3aea0593947676843faf6c360694bed41cd3a 0bc0fd20fbbcc

scx-1.0.4248.hpux.11iv2.ia64.de pot.Z

a60e92bcfb53b7d49bfb2dcc909690cb955800922fd54e496a27 796e684ec3fc

scx-1.0.4553390b3ef4cc21375bc307855bb16c9865b196c4403605fe1df 248.hpux.11iv2.parisc.d 079f9f503d74 epot.Z scx-1.0.4248.hpux.11iv3.ia64.de pot.Z f102b4c36447b1a2c6a6b374228fba03ec0547e3750826a9457 8d28a219f516a

scx-1.0.48d43eab9b481d51f4b9efb74ec5eb03e08eb5d8556032e74558 248.hpux.11iv3.parisc.d 8e9b3a2eb327d epot.Z scx-1.0.4248.rhel.4.x64.rpm scx-1.0.4248.rhel.4.x86.rpm scx-1.0.4248.rhel.5.x64.rpm scx-1.0.4248.rhel.5.x86.rpm scx-1.0.4248.sles.9.x86.rpm scx-1.0.4248.sles.10.x64.rpm 382b7d7afd1075cc188626b59b8f48b1c7666bdfc29c6bed1ab3 e8191c9394fe 281d51128b98526f2223fcea93ebd72cf1b46ee81f4f5a65a08c 17d39c2fb7dc 6448da9d2fbdc75e662255edbf22e4523c38f614baf9a0bcea97 95a17be578d4 70408343a052ea77960315dd76ff70b9b42aad2c8c41c50997e 2d5e2d30f0b1d e628120ae89004d828bd8334330b2c44ea6cb165985b39149d 28084e8849f86a 20be0a828a355f907f9a8a7dedbd8900e83f9be14b304c10054 d9619b0c9998d 82

Agent

File

SHA256

x64 SLES 10 x86 Solari s8 SPAR C Solari s9 SPAR C Solari s 10 SPAR C Solari s 10 x86 scx-1.0.4248.sles.10.x86.rpm 854262692e324bcbf78501a6b5d5199a10b4e608bcbed6524a 82bee205d1f256

scx-1.0.4ad3754a5064d7733b7b096c111efbf5630927852c07b16ea079 248.solaris.8.sparc.pkg. 9bf7aefb1740a Z scx-1.0.481bec81c17ea8a86833accbda8c6045147b08f38b600b7cea0d 248.solaris.9.sparc.pkg. cc730a59b2d90 Z scx-1.0.4248.solaris.10.sparc.pk g.Z scx-1.0.4248.solaris.10.x86.pkg. Z a37a23b3ec25f8c1294c248d13cb73bbe5a7ea8fe2631bfbb42c 847f724a90da

54abb0189e2b70c13644c901dc495b045bdc1e2a087a634b22 2ca42b4826d6c9

83

Vous aimerez peut-être aussi